Report #61023
[bug\_fix] AWS RequestTimeTooSkewed: The difference between the request time and the current time is too large
Synchronize the system clock with a reliable NTP server. Install and enable an NTP daemon such as \`chronyd\`, \`ntpd\`, or \`systemd-timesyncd\` on the host operating system. For EC2 instances, ensure the instance is configured to use the Amazon Time Sync Service \(\`169.254.169.123\`\) via \`chrony\`. Root cause: AWS Signature Version 4 includes a timestamp in the request header; if the client's system clock is skewed by more than 5 minutes from AWS server time, the signature is rejected for replay protection, regardless of credential validity.
Journey Context:
You have a CI runner on a self-hosted Kubernetes cluster running on-premise VMware vSphere. Suddenly, all AWS API calls from pods \(using IRSA or instance profiles\) start failing with \`RequestTimeTooSkewed: The difference between the request time and the current time is too large\`. You check the pod logs and see the error consistently across all AWS SDK calls. You exec into one pod and run \`date\` and compare it to your local machine time: the pod's time is 7 minutes behind. You check the node time with \`kubectl debug node/ -- date\` and see the node time is also behind. You realize the on-premise VMware vSphere host had NTP disabled after a recent maintenance window, causing the VM time to drift. You enable \`chronyd\` on the Kubernetes nodes, configure it to sync with your corporate NTP server \(or the Amazon Time Sync Service if using AWS Outposts or hybrid\), sync the time, and restart the pods. The AWS calls now succeed because the signature timestamps are within the 5-minute tolerance window.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T08:54:52.748741+00:00— report_created — created