How do I troubleshoot SigV4 Signature Mismatch errors with Amazon S3 presigned URLs?

4 minute read
2

I'm using an Amazon Simple Storage Service (Amazon S3) presigned URL to make requests to my Amazon S3 bucket, and I'm getting the SignatureDoesNotMatch error.

Short description

You get this error when the signature value that's calculated from your HTTP request to AWS doesn't match the value that Amazon S3 calculates. For more information, see List of error codes.

When you generate a preresigned URL, the client calculates a unique signature for the request to authenticate the request. Then, Amazon S3 calculates a signature based on the parameters that are sent in the HTTP request and compares both signatures. If the signatures don't match, then you receive the SignatureDoesNotMatch error.

To troubleshoot this error, do the following:

  • Validate the HTTP method: Confirm that the HTTP requests that you made to S3 for the GET, PUT, and DELETE requests match the HTTP method that the request was generated for.
  • Check the secret access key: Make sure that you use the correct secret access key to generate the presigned URL. If the secret access key was modified or is incorrect, then use the correct access key to regenerate the presigned URL.
  • Verify the bucket name and key name in the URL: Make sure that the bucket name and object key name are correct and match those of the object that you're trying to access.
  • Validate the headers that are used in HTTP request: Verify that the headers were calculated in the signature. Make sure that the HTTP headers that were used to generate the signature match those that were sent to S3 in the HTTP request.
  • Be sure that the AWS Region is correct: Validate that the signature is generated for the Region where the bucket currently exists.

Resolution

Incorrect HTTP method

When you generate a presigned URL, you assign an HTTP action to the URL. You get this error when the action that the client sent in the HTTP request doesn't match the HTTP action that's used in the URL. For example, if the request is signed for GET, but the HTTP action that's used in the request is PUT, then you get the error. For the URL to work, verify that you generate and use the URL for the intended HTTP method.

Incorrect secret access key

You get this error when the access key or secret access key that you use to generate the presigned URL is in one of the following states:

  • Incorrect
  • Not valid
  • Turned off

Check that you didn't add any mismatched characters or incorrect spacing to the access key.

Be sure that the access key and secret key that you provided during signature generation match the ones that were provided by AWS.

Incorrect key name or bucket name

You get this error when you use a presigned URL that you generated for a bucket or key to access a different bucket or key.

Verify that the bucket name and object name are correct and match the ones that were included in the signature generation of the URL. Note that a mismatched case also causes the signatures to be mismatched.

Unsigned for headers or incorrect header values

Be sure that you didn't pass the headers that weren't signed for in the signature generation of your presigned URL. If you intend to send headers with your presigned S3 URL, then they must be accounted for within the generation of the URL's signature.

Also, make sure that the value of the header that you passed matches the one that was generated during signature calculation. Any mismatched header values, including case mismatches, result in the SignatureDoesNotMatch error.

Signature Region and bucket Region mismatch

Before sending the presigned URL to S3, validate that the Region where the URL was generated matches the Region where the bucket currently exists.

Use the GetBucketLocation API request to check the Region of an S3 bucket. You can also run the following AWS Command Line Interface (AWS CLI) command:

$ aws s3api get-bucket-location --bucket example-bucket

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

The output looks similar to the following one:

{  
    "LocationConstraint": "us-west-2"  
}

Related information

Using presigned URLs

When I try to access an S3 object, I get the error "Request has expired." Why?

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago