CognitoIdentityCredentials, KMS encrypt and Signature expired
See original GitHub issueHello,
ISSUE We are using the AWS SDK in the browser, so we do not have control over the parent system clock. If the parent system clock is off when trying to KSM encrypt data, we receive the following error message:
Error: Signature expired: 20181105T215603Z is now earlier than 20181105T221104Z (20181105T221604Z - 5 min.)
Please note that if the browser’s parent system’s time is correct, then there is no issue.
ATTEMPTS TO FIX
- I tried setting
window.AWS.config.correctClockSkew = true;
but this does not seem to fix kms.encrypt().promise() and still fails. - I tried setting
new KMS({ correctClockSkew: true })
in addition to item 1 above, and it still fails. - I even tried manually setting
window.AWS.config.systemClockOffset
viawindow.AWS.events.on('retry', (response) => {})
but still get the error. Please note that response.httpResponse.headers[‘date’] does not seem to be set with kms.encrypt error, so I had to extract the datetime value from the actual error message (not fun)…
REPLICATE I setup my system clock 20 minutes in the past and am able to consistently replicate.
CODE
import { CognitoIdentityCredentials } from 'aws-sdk/global';
import KMS from 'aws-sdk/clients/kms';
export function processPurchase({ billing }) {
return async (dispatch, getState) => {
// some code here
try {
window.AWS.config.correctClockSkew = true;
window.AWS.config.region = config.awsDefaultRegion;
window.AWS.config.credentials = new CognitoIdentityCredentials({
IdentityPoolId: config.awsCognitoIdentityPoolId,
});
const kms = new KMS({ correctClockSkew: true });
encryptedBilling = await kms
.encrypt({
KeyId: config.awsKmsKeyId,
Plaintext: JSON.stringify(verifiedBilling),
})
.promise();
} catch (error) {
// catch locally
console.error(error);
}
// more code
}
}
Please advise on next steps or if you need any additional information. Thanks!
Issue Analytics
- State:
- Created 5 years ago
- Reactions:1
- Comments:9 (4 by maintainers)
Top Results From Across the Web
Class: Aws::KMS::Client — AWS SDK for Ruby V3
Imports key material into an existing symmetric encryption KMS key that was ... Aws::CognitoIdentityCredentials - Used for loading credentials from the ...
Read more >generateDataKey error Signature expired on AWS KMS?
I am working with my client so I cloned git repo and built application which use AWS KMS to generate data key. All...
Read more >AWS KMS Expired Token error on generating new root from ...
Hi, I've setup AWS KMS auto-unseal according to the docs with vault ... error decrypting data encryption key: ExpiredTokenException: The ...
Read more >IdP | Noise | Page 2
To sign JWT tokens, you need an encrypted plaintext key, to be stored in KMS. You will need to complete this step even...
Read more >Amazon Web Services (AWS) Key Management Service (KMS ...
In the example below, they will expire after 900 seconds. After that time, MariaDB may be unable to generate new encrypted data keys,...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Yes, I’ll update this issue when I have more information about the KMS Team getting this change made.
@devourment77
Thanks for submitting this issue.
I am able to reproduce the issue in the browser, as well as in Node. We will update you once we’ve got the right way to get this resolved sorted out.