Report #7061
[bug\_fix] AWS SignatureDoesNotMatch or RequestTimeTooSkewed due to clock skew
Synchronize the system clock using NTP. On Amazon Linux 2/2023, ensure the \`chronyd\` service is running: \`sudo systemctl enable --now chronyd\` and verify with \`chronyc tracking\`. On Ubuntu/Debian, install \`chrony\` or ensure \`systemd-timesyncd\` is active. For Docker containers, ensure the host's time is correct and mount \`/etc/localtime\` or run an NTP daemon in the container if necessary. The AWS SDKs \(Java, Python, Go\) include a default clock skew correction of ±5 minutes, but if the skew exceeds this, the signature validation fails. Correcting the system clock is the definitive fix; alternatively, some SDKs allow configuring \`maxRetryAttempts\` and \`retryMode\` to handle clock skew errors specifically, but this is a workaround.
Journey Context:
A developer provisions a new EC2 instance from a custom AMI that was created in 2020 and has NTP disabled. They deploy a Go microservice that uploads logs to S3. Immediately, all \`PutObject\` calls fail with \`SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method\`. The error message includes \`Date: 2020-01-01T00:00:00Z\`. The developer checks the IAM Instance Profile and it's correctly attached. They enable AWS SDK logging and see the Date header sent is indeed 2020. They SSH into the instance and run \`date\`, which returns \`Wed Jan 1 00:00:00 UTC 2020\`. They check \`timedatectl status\` and see \`NTP enabled: no\`. They install and start \`chronyd\` \(\`sudo yum install -y chrony && sudo systemctl start chronyd\`\). After 10 seconds, \`date\` shows the correct 2024 timestamp. The S3 uploads immediately succeed without code changes.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T01:43:38.768067+00:00— report_created — created