aws-sdk-js-v3 icon indicating copy to clipboard operation
aws-sdk-js-v3 copied to clipboard

Published 20 hours ago verified publisher icon aws

InvalidSignatureException: Signature expired: 20240820T230143Z is now earlier than 20240820T230302Z (20240820T230802Z - 5 min.)

Open fshuman-a opened this issue 1 year ago • 1 comments

Checkboxes for prior research

Describe the bug

We recently upgraded to v3 and since then we've seen InvalidSignatureException: Signature expired: 20240820T230143Z is now earlier than 20240820T230302Z (20240820T230802Z - 5 min.) a few times when performing KMS encrypt/decrypt operations. Since the issue is intermittent, it is difficult to replicate it. I noticed another user experienced a similar issue and it appears that using the embedded SDK seems to have worked for that user. However, it is not clear if it's a recommendation from AWS or why we should use the embedded SDK instead.

SDK version number

@aws-sdk/[email protected]

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

18

Reproduction Steps

kmsClient.ts

import { KMS } from '@aws-sdk/client-kms';
const kmsClient = new KMS({})
export const getKMS = (): KMS => {
    return kmsClient
}

encryption.ts

import { getKMS } from './kmsClient.ts'

export const encrypt = async (context: Record<string, string>): Promise<string> => {
    const expiry = 60 * 30;
    const nowSecs = Math.floor(Date.now() / 1000);
    const augmentedContext = {
        ...context,
        exp: nowSecs + expiry
    };
    const response = await getKMS()
        .encrypt({
            KeyId: '<key>',
            Plaintext: Buffer.from(JSON.stringify(augmentedContext))
        });

    if (!response.CiphertextBlob) {
        throw Error('No CiphertextBlob');
    }
    return Buffer.from(response.CiphertextBlob).toString('base64');
};

handler.ts

import { encrypt } from 'encryption';

export const handler = async () => {
    ...
    const encryptedKey = await encrypt({'foo': 'bar'})
    ...
}

Observed Behavior

InvalidSignatureException: Signature expired: 20240820T230143Z is now earlier than 20240820T230302Z (20240820T230802Z - 5 min.)\n at throwDefaultError...

Expected Behavior

No error is thrown

Possible Solution

No response

Additional Information/Context

No response

fshuman-a avatar Aug 21 '24 09:08 fshuman-a

Hi @fshuman-a - thanks for reaching out.

The InvalidSignatureException error occurs when the signature used to authenticate the AWS API request has expired. This issue can occur due to a mismatch between the system clocks of the client and the AWS service or if there is a significant delay in the network communication.

Regarding using the embedded SDK, AWS does not explicitly recommend using the embedded SDK over the standalone SDK package. The embedded SDK is a version of the AWS SDK that is bundled with the AWS Lambda execution environment. It is primarily intended for use within Lambda functions, where the Lambda service handles the SDK initialization and configuration.

For applications running outside of the Lambda environment, such as Node.js servers or other compute environments, it is generally recommended to use the standalone SDK package @aws-sdk/client-kms in your case.

Going back to your specific issue - this occurs exclusively in with AWS Lambda. One recommendation from the SDK team is to incorporate Top Level Await into your application. While this approach is not generally advised, an alternative solution could be to relocate the API calls within the handler function itself.

Here's code example from Using Node.js ES modules and top-level await in AWS Lambda:

import { SSMClient, GetParameterCommand } from "@aws-sdk/client-ssm"; 

const ssmClient = new SSMClient();
const input = { "Name": "/configItem" }
const command = new GetParameterCommand(input);
const parameter = await ssmClient.send(command); // top-level await

export async function handler() {
    const response = {
        statusCode: 200,
        "body": parameter.Parameter.Value
    };
    return response;
};

Here are related issues reported in this repo, for your reference:

  • https://github.com/aws/aws-sdk-js-v3/issues/5192
  • https://github.com/aws/aws-sdk-js-v3/issues/6222

Hope it helps, John

aBurmeseDev avatar Aug 24 '24 02:08 aBurmeseDev

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.

github-actions[bot] avatar Sep 27 '24 00:09 github-actions[bot]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

github-actions[bot] avatar Oct 16 '24 00:10 github-actions[bot]