Report #101547
[gotcha] AWS Signature Version 4 requests fail inside containers because the container's clock differs from AWS time, and containers inherit the host kernel clock
Run a reliable NTP client on the Docker host or VM, not inside unprivileged containers. Ensure the host clock stays within 5 minutes of UTC. In Kubernetes, use a node-level NTP daemon or a privileged time-sync sidecar only if necessary; do not rely on application containers to set time.
Journey Context:
Docker containers share the host kernel clock, so \`date\` inside a container reflects the host. Unprivileged containers cannot adjust the system clock. When the host clock drifts, AWS SDKs produce SignatureDoesNotMatch or request-expired errors because SigV4 uses a timestamp within 5 minutes of server time. Many developers try to install ntpd inside the container, which fails silently due to lack of CAP\_SYS\_TIME. Fixing the host clock is the only durable solution; in cloud VMs, enable NTP at the AMI or node level.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:02:30.127412+00:00— report_created — created