{
  "id": "cloud/aws-s3-presigned-url-expired-before-use",
  "signature": "The request signature we calculated does not match the signature you provided. Check your key and signing method. (Status: 403)",
  "signature_zh": "我们计算的请求签名与您提供的签名不匹配。请检查您的密钥和签名方法。（状态：403）",
  "regex": "The request signature we calculated does not match the signature you provided",
  "domain": "cloud",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "The presigned URL was generated with a very short expiration time (e.g., 1 second) or the client's clock is skewed, causing the signature to be invalid by the time the request reaches S3.",
  "root_cause_type": "generic",
  "root_cause_zh": "预签名 URL 的过期时间非常短（例如 1 秒），或者客户端的时钟偏差导致签名在请求到达 S3 时已无效。",
  "versions": [
    {
      "version": "AWS S3 (Standard)",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "AWS CLI v2.15.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "boto3 1.34.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "The error is about signature mismatch, not permissions; this policy change does not help.",
      "fail_rate": 0.85,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "The signature algorithm is correct by default; the issue is timing, not algorithm selection.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "The expiration is set during URL generation; adding a header cannot extend it.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Generate the presigned URL with a longer expiration time, e.g., 3600 seconds (1 hour): `aws s3 presign s3://mybucket/myfile --expires-in 3600`",
      "success_rate": 0.95,
      "how": "Generate the presigned URL with a longer expiration time, e.g., 3600 seconds (1 hour): `aws s3 presign s3://mybucket/myfile --expires-in 3600`",
      "condition": "",
      "sources": []
    },
    {
      "action": "If clock skew is suspected, synchronize the client's system clock using NTP: `sudo ntpdate -u time.google.com` on Linux, or enable 'Set time automatically' on Windows/macOS.",
      "success_rate": 0.8,
      "how": "If clock skew is suspected, synchronize the client's system clock using NTP: `sudo ntpdate -u time.google.com` on Linux, or enable 'Set time automatically' on Windows/macOS.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Generate the presigned URL with a longer expiration time, e.g., 3600 seconds (1 hour): `aws s3 presign s3://mybucket/myfile --expires-in 3600`",
    "If clock skew is suspected, synchronize the client's system clock using NTP: `sudo ntpdate -u time.google.com` on Linux, or enable 'Set time automatically' on Windows/macOS."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html",
  "official_doc_section": null,
  "error_code": "SignatureDoesNotMatch",
  "verification_tier": "ai_generated",
  "confidence": 0.85,
  "fix_success_rate": 0.9,
  "resolvable": "true",
  "first_seen": "2024-02-28",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}