0

I'm currently working on a microservice in AWS using lambdas. On occassion, a lambda call from one to the other will fail when that reciever lambda then calls another lambda. The error is as follows:

errorMessage    
Signature expired: 20210825T214414Z is now earlier than 20210825T214616Z (20210825T215116Z - 5 min.)
errorType   
InvalidSignatureException
name    
InvalidSignatureException
stack.0 
InvalidSignatureException: Signature expired: 20210825T214414Z is now earlier than 20210825T214616Z (20210825T215116Z - 5 min.)
stack.1 
at deserializeAws_restJson1InvokeCommandError (/var/task/node_modules/@aws-sdk/client-lambda/dist/cjs/protocols/Aws_restJson1.js:5106:41)
stack.2 
at runMicrotasks (<anonymous>)
stack.3 
at processTicksAndRejections (internal/process/task_queues.js:95:5)
stack.4 
at async /var/task/node_modules/@aws-sdk/middleware-serde/dist/cjs/deserializerMiddleware.js:6:20
stack.5 
at async /var/task/node_modules/@aws-sdk/middleware-signing/dist/cjs/middleware.js:12:24
stack.6 
at async StandardRetryStrategy.retry (/var/task/node_modules/@aws-sdk/middleware-retry/dist/cjs/StandardRetryStrategy.js:51:46)
stack.7 
at async /var/task/node_modules/@aws-sdk/middleware-logger/dist/cjs/loggerMiddleware.js:6:22
stack.8 
at async InvokeLambdaAdapter.sendCommand (/var/task/invokeLambdaAdapter.js:61:24)

We use the javascript aws lambda client, and run version 3.20. I'm not sure what can be causing this. I thought it was a clock issue but correcting clock skew is baked into the request, and it's not an issue of local clock because lambdas are synced with NTP. Any advice helps!

shimo
  • 2,156
  • 4
  • 17
  • 21
Michael Eliot
  • 831
  • 8
  • 18
  • Does this answer your question? [Signature expired: is now earlier than error : InvalidSignatureException](https://stackoverflow.com/questions/44017410/signature-expired-is-now-earlier-than-error-invalidsignatureexception) – shimo Aug 25 '21 at 23:36
  • what mechanism you are using to calculate signature ? most of time what happen signature you calculate in JS not match with AWS calculated signature might be missing params which is expected as AWS side also or data issue – Avinash Dalvi Aug 26 '21 at 06:30
  • @shimo it does not. It's not my local machine, it's the lambda. Afaik there shouldn't be an issue with the clocks as all lambdas are synced via NTP. I can run it fine on my machine. – Michael Eliot Aug 26 '21 at 15:19
  • @aviboy2006 got it so you are implying the issue isn't time related, but just generally an issue of missing params? – Michael Eliot Aug 26 '21 at 15:20
  • sometime time related also but there multiple params which result into invalid signature. simple way two way encryption one way JS will do and one way AWS will do and try to match that. if something not right as per AWS it will throw error. – Avinash Dalvi Aug 26 '21 at 15:48
  • Is there a way to debug this? Besides printing what I am providing to the lambda invoke, is there a way to see what is getting signed or something? – Michael Eliot Aug 26 '21 at 18:59

1 Answers1

0

For anyone curious. The issue ended up being reusing an aws lambda client for multiple requests. When we had the requests create a new client for every request, the issue went away.

Michael Eliot
  • 831
  • 8
  • 18