Search code examples
aws-sdkamazon-kms

generateDataKey error Signature expired on AWS KMS?

I am working with my client so I cloned git repo and built application which use AWS KMS to generate data key.

All is works well on live server but when I got failed on my local environment.

Here is code snippet and result of error.

const AWS = require('aws-sdk');
AWS.config.update({region:'eu-central-1'});
const kms = new AWS.KMS({ apiVersion: '2014-11-01' });

kms.generateDataKey({
 KeyId: 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX',
 KeySpec: 'AES_256',
}).promise()
.catch(err => {
 console.error('generateDataKey error', err.message, err.stack);
 throw err;
})
.then(data => {
 console.log(data);
});

Is there a way to fix this error?

enter image description here

"GenerateDataKey error Signature expired...."

Solution

  • When you send a request signed using the AWS SigV4 protocol (to KMS or any other AWS service), the requests include a timestamp from when the signature was generated. The tolerance is 5 minutes. This mechanism is in place to make replay attacks harder (they essentially have a smaller window to be peformed). More information here.

    Since the same request is working fine on your server, but failing locally, I think the clock on your local workspace is off by more than five minutes.