# 我们计算的请求签名与您提供的签名不匹配。请检查您的密钥和签名方法。（状态：403）

- **ID:** `cloud/aws-s3-presigned-url-expired-before-use`
- **领域:** cloud
- **类别:** auth_error
- **错误码:** `SignatureDoesNotMatch`
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

预签名 URL 的过期时间非常短（例如 1 秒），或者客户端的时钟偏差导致签名在请求到达 S3 时已无效。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| AWS S3 (Standard) | active | — | — |
| AWS CLI v2.15.0 | active | — | — |
| boto3 1.34.0 | active | — | — |

## 解决方案

1. ```
   Generate the presigned URL with a longer expiration time, e.g., 3600 seconds (1 hour): `aws s3 presign s3://mybucket/myfile --expires-in 3600`
   ```
2. ```
   If clock skew is suspected, synchronize the client's system clock using NTP: `sudo ntpdate -u time.google.com` on Linux, or enable 'Set time automatically' on Windows/macOS.
   ```

## 无效尝试

- **** — The error is about signature mismatch, not permissions; this policy change does not help. (85% 失败率)
- **** — The signature algorithm is correct by default; the issue is timing, not algorithm selection. (90% 失败率)
- **** — The expiration is set during URL generation; adding a header cannot extend it. (95% 失败率)