Report #95310
[bug\_fix] AWS Signature Version 4 Clock Skew Error: RequestTimeTooSkewed: The difference between the request time and the current time is too large
Synchronize the system clock using NTP \(e.g., \`chronyc makestep\` or \`ntpd\`\). For EC2, ensure the instance can reach the Amazon Time Sync Service \(169.254.169.123\) or public NTP pools over UDP 123. For containers, ensure the host's clock is synchronized as containers share the kernel clock. AWS Signature Version 4 \(SigV4\) includes the request timestamp in the \`X-Amz-Date\` header; AWS servers reject requests where this timestamp is more than 5 minutes \(plus/minus\) away from the server time to prevent replay attacks. Correcting the client clock aligns the signature timestamp with the server time.
Journey Context:
A developer deploys a Python application to an EC2 instance in a private subnet. The application uses \`boto3\` to upload files to S3. Initially, it works. After a reboot or over time, the application starts failing with \`RequestTimeTooSkewed\`. The developer SSHs into the instance and runs \`date\`, noticing the time is 15 minutes behind UTC. They check the NTP service \(\`systemctl status chronyd\`\) and see it is failed or blocked. They check the security group and realize outbound UDP 123 is blocked. They update the security group to allow UDP 123 to the Amazon Time Sync Service IP \(169.254.169.123\) or 0.0.0.0/0 for public NTP. They restart chronyd \(\`sudo chronyc makestep\`\), verify the time is correct with \`date\`, and the S3 uploads resume. They realize that AWS SigV4 signatures include a timestamp, and AWS rejects requests with timestamps skewed >5 minutes as a security measure.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T18:33:20.918236+00:00— report_created — created