AWS CLI listing S3 buckets gives SignatureDoesNotMatch error using IAM user credentials

21
votes

I am using AWS cli on Ubuntu 16.04 LTS, I am trying to list all buckets. In aws configure I have input the IAM user access key and IAM user secret key. This IAM user has permissions to list bucket and can list bucket in console.But using AWS cli with these keys and running command - aws s3 ls it is giving me this error.

A client error (SignatureDoesNotMatch) occurred when calling the ListBuckets operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

I have created a policy to list buckets for this particular IAM user also.

I want to perform further sync operations and make all files public operations via a shell script using this IAM user credentials and do not want to use root credential.

16
amazon-web-servicesamazon-s3amazon-iamaws-cli
Based on the error, the secret you're using is wrong. Most likely, a copy/paste error. Try revoking that access key and create new keys.Matt Houser
The other thing it could be is trying to use signature V2 in a region that only supports V4 (like eu-central-1).Matt Houser
Thank you sir, by changing the keys I was able to solve the problem. Could you please tellPiyush dhore

16 Answers

16
votes

Found my issue. I had old AWS keys in my environment variables. If you have environment variables named

AWS_SECRET_ACCESS_KEY
AWS_ACCESS_KEY_ID

the awscli will use those values instead of what is provided via ~/.aws/credentials.

Try running printenv | grep AWS and verify that those values aren't set. If so then just run a 

unset AWS_SECRET_ACCESS_KEY
unset AWS_ACCESS_KEY_ID

and you should be good to go.

7
votes

In my case, this was due to incorrect aws_secret_access_key.

To check, open the file ~/.aws/credentials by typing:

cat ~/.aws/credentials

The content should be something like below:

[default]
aws_access_key_id = xxx
aws_secret_access_key = xx

See if the aws_access_key_id & aws_secret_access_key matches your credentials. If it doesn't, edit and save changes.

p/s: If you don't remember your aws_secret_access_key, generate a new key and secret by going to aws console --> your name --> My Security Credentials.

enter image description here

Then click 'Create access key':

enter image description here

Take note that you can only have two access keys at a time.

4
votes

This error is because of incorrect aws s3 access key/secret key.

3
votes

It means that your AWS security credentials got expired. Simply creating new credentials will work.

  • Go to your AWS account -> My security credentials
  • click on Create New Access Key. Make a note of access key id and secret access key
  • Run aws configure and enter new credentials
1
votes

In my case, I had encryption but was sending the the size the file was before being encrypted. If you got this error and your secret and key are correct, it's worth double checking your md5, mimetype, size, and other attributes

1
votes

Just check the time on the system on which you are running. make sure it is updated

1
votes

The issue was with the AWS credentials, i copied the secret from excel file into txt file and some how few of the special character stripped away. Make sure to copy it properly.

Also try restarting the machine and make sure AWS is not set in environment variable, you can check it with printenv | grep 'AWS'

1
votes

Can happen even when the machine time is not in sync with the NT server.

sudo ntpdate ntp.ubuntu.com helped me solve this problem.

0
votes

Please switch to root user.

In my case I was accessing this command aws s3 ls from standard user and its giving below error:

"AWS CLI listing S3 buckets gives SignatureDoesNotMatch error using IAM user credentials"

then switched to root user by using sudo su command and tried accessing aws s3 ls command it listed s3 bucket names.

0
votes

For me the problem was the / in my secret_key to get round it pasted the secret key into a .dat file on my pc copied it to the server pg the .dat file on the server and copied the secret key when using aws configure

0
votes

Fixed it by using --endpoint-url option as stated here: https://github.com/aws/aws-cli/issues/4922

Looks like it is related to the fact that the VM I was on was in a different region than the bucket.

0
votes

Newbie to Boto3,Python and AWS automation here.

I got the error

"A client error (SignatureDoesNotMatch) occurred when calling the CreateBucket operation: The request signature we calculated does not match the signature you provided. Check your key and signing method." when attempting to programmatically add an S3 bucket to my AWS account.

I use Jupyter as my IDE and spent a lot of time attempting to fix this issue. What I found is that this is related to the default region that is entered into the "config" file in .aws, for some reason the default region was "us-west-2" in my config file and the bucket I was attempting to add was in us-east-2.

I have seen some solutions attempt to correct this with environmental variables but I believe this solution is much simpler.

0
votes

Using single quotes (') instead of using qutoes (") when exporting the AWS_SECRET_ACCESS_KEY, solved this problem for me using "aws s3 cp" commands.

0
votes

in my case, i have some typo on the region name. once fixed it, all works fine.

Set the Region name to None first.. then change it back correctly.

Should be good.

0
votes

My case is different, yesterday these configured keys in my new Mac is working fine but today is not working. I tried comparing with the working old windows system configuration and both looks same. I couldn't understand, I copy pasted from windows to mac again then it's working fine, seems to be some invisible characters might have added.

0
votes

The only thing that works for me is a simple restart.