Report #15674
[bug\_fix] SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided
Configure the SDK client with the correct AWS Region where the resource \(S3 bucket, DynamoDB table\) actually resides, or explicitly set the \`Authorization\` header's credential scope to the correct region in SigV4 calculations. Root cause: AWS Signature Version 4 includes the region in the 'Credential' scope \(e.g., \`us-east-1/s3/aws4\_request\`\). If the SDK client is configured for \`us-east-1\` but the bucket is in \`eu-west-1\`, the signature is calculated for the wrong region. While S3 often redirects with 301 and some SDKs retry, many other services \(DynamoDB, KMS\) do not redirect and instead return SignatureDoesNotMatch or an ambiguous 400/403.
Journey Context:
A developer writes a Lambda function in Python \(boto3\) that writes to a DynamoDB table in \`us-west-2\`. They hardcode the region in the client as \`us-east-1\` \(copy-paste from a template\). The first few calls fail with 'SignatureDoesNotMatch'. The developer checks the IAM role attached to the Lambda, confirming it has full DynamoDB access. They try generating new access keys \(not applicable to Lambda execution role\). They enable CloudTrail but the error is opaque. They eventually capture the raw HTTP request and notice the \`X-Amz-Credential\` header contains \`us-east-1\` despite the table being in \`us-west-2\`. Changing the client's \`region\_name\` parameter to \`us-west-2\` immediately resolves the issue.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T00:45:52.585894+00:00— report_created — created