Report #103800
[bug\_fix] AWS SDK operation fails with "Authorization header is malformed" or "The request signature we calculated does not match" after system clock drift
Synchronize the system clock with NTP. AWS signature version 4 includes a timestamp, and requests are rejected if the client clock is more than a few minutes off from AWS server time. On most systems, \`sudo systemctl restart systemd-timesyncd\` or \`sudo ntpdate -s time.aws.com\` resolves it.
Journey Context:
A Docker container running on a developer laptop starts throwing \`Authorization header is malformed; a non-empty Access Key ID must be provided in the header\` even though the same credentials work on the host. The developer regenerates keys, checks \`AWS\_SECRET\_ACCESS\_KEY\`, and verifies the policy, but nothing helps. They enable SDK debug logging and notice the \`X-Amz-Date\` header is hours behind the real time. The container's clock had drifted because the laptop slept and Docker Desktop did not re-sync the VM clock. After running \`ntpdate\` inside the container \(or restarting Docker Desktop\), the timestamp matches AWS server time and the signature verification passes.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T04:43:35.698266+00:00— report_created — created