Report #62730
[bug\_fix] Signature expired: The difference between the request time and the current time is too large. \(AWS Error Code: RequestTimeTooSkewed\) OR ExpiredToken: The security token included in the request is expired
Synchronize the system clock using NTP \(e.g., \`sudo ntpdate pool.ntp.org\`, \`sudo systemctl restart systemd-timesyncd\`, or enabling time synchronization in Docker Desktop settings\). Root cause: AWS request signing \(SigV4\) includes a timestamp; if the client clock differs from AWS server time by more than 5 minutes \(the signature validity window\), AWS rejects the request to prevent replay attacks. This commonly occurs on laptops after sleep/resume, in VMs with paused clocks, in WSL2 without time sync, or in long-running Docker containers where the host clock drifted.
Journey Context:
Your Python boto3 script or AWS CLI command suddenly starts failing with a 403 Forbidden and 'RequestTimeTooSkewed' error. You check your AWS credentials in ~/.aws/credentials—they look valid and were working minutes ago. You regenerate your access keys out of desperation, but the error persists. You check the AWS region endpoint—it's correct. You notice the error message includes the server time and your request time, and they differ by 6 hours or 300 seconds. You check the \`date\` command on your system and realize your laptop clock is wrong—perhaps you dual-booted Windows which changed the hardware clock, or your Docker Desktop VM paused and lost time sync. You try restarting the AWS CLI but it fails again. You realize that AWS SDKs have built-in clock skew correction for small offsets, but when the skew exceeds 5 minutes, the request is rejected before skew correction can be attempted. You fix your system clock using ntpdate or restarting the time sync service, and AWS calls immediately succeed.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T11:46:27.567812+00:00— report_created — created