# The request signature we calculated does not match the signature you provided. Check your key and signing method. (Status: 403)

- **ID:** `cloud/aws-s3-presigned-url-expired-before-use`
- **Domain:** cloud
- **Category:** auth_error
- **Error Code:** `SignatureDoesNotMatch`
- **Verification:** ai_generated
- **Fix Rate:** 90%

## Root Cause

The presigned URL was generated with a very short expiration time (e.g., 1 second) or the client's clock is skewed, causing the signature to be invalid by the time the request reaches S3.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| AWS S3 (Standard) | active | — | — |
| AWS CLI v2.15.0 | active | — | — |
| boto3 1.34.0 | active | — | — |

## Workarounds

1. **Generate the presigned URL with a longer expiration time, e.g., 3600 seconds (1 hour): `aws s3 presign s3://mybucket/myfile --expires-in 3600`** (95% success)
   ```
   Generate the presigned URL with a longer expiration time, e.g., 3600 seconds (1 hour): `aws s3 presign s3://mybucket/myfile --expires-in 3600`
   ```
2. **If clock skew is suspected, synchronize the client's system clock using NTP: `sudo ntpdate -u time.google.com` on Linux, or enable 'Set time automatically' on Windows/macOS.** (80% success)
   ```
   If clock skew is suspected, synchronize the client's system clock using NTP: `sudo ntpdate -u time.google.com` on Linux, or enable 'Set time automatically' on Windows/macOS.
   ```

## Dead Ends

- **** — The error is about signature mismatch, not permissions; this policy change does not help. (85% fail)
- **** — The signature algorithm is correct by default; the issue is timing, not algorithm selection. (90% fail)
- **** — The expiration is set during URL generation; adding a header cannot extend it. (95% fail)