question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CognitoIdentityCredentials, KMS encrypt and Signature expired

See original GitHub issue

Hello,

ISSUE We are using the AWS SDK in the browser, so we do not have control over the parent system clock. If the parent system clock is off when trying to KSM encrypt data, we receive the following error message:

Error: Signature expired: 20181105T215603Z is now earlier than 20181105T221104Z (20181105T221604Z - 5 min.)

Please note that if the browser’s parent system’s time is correct, then there is no issue.

ATTEMPTS TO FIX

  1. I tried setting window.AWS.config.correctClockSkew = true; but this does not seem to fix kms.encrypt().promise() and still fails.
  2. I tried setting new KMS({ correctClockSkew: true }) in addition to item 1 above, and it still fails.
  3. I even tried manually setting window.AWS.config.systemClockOffset via window.AWS.events.on('retry', (response) => {}) but still get the error. Please note that response.httpResponse.headers[‘date’] does not seem to be set with kms.encrypt error, so I had to extract the datetime value from the actual error message (not fun)…

REPLICATE I setup my system clock 20 minutes in the past and am able to consistently replicate.

CODE

import { CognitoIdentityCredentials } from 'aws-sdk/global';
import KMS from 'aws-sdk/clients/kms';

export function processPurchase({ billing }) {
  return async (dispatch, getState) => {
    // some code here

    try {
      window.AWS.config.correctClockSkew = true;
      window.AWS.config.region = config.awsDefaultRegion;
      window.AWS.config.credentials = new CognitoIdentityCredentials({
        IdentityPoolId: config.awsCognitoIdentityPoolId,
      });

      const kms = new KMS({ correctClockSkew: true });

      encryptedBilling = await kms
        .encrypt({
          KeyId: config.awsKmsKeyId,
          Plaintext: JSON.stringify(verifiedBilling),
        })
        .promise();
    } catch (error) {
      // catch locally
      console.error(error);
    }

    // more code

  }
}

Please advise on next steps or if you need any additional information. Thanks!

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:1
  • Comments:9 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
srchasecommented, Nov 13, 2018

Yes, I’ll update this issue when I have more information about the KMS Team getting this change made.

1reaction
srchasecommented, Nov 6, 2018

@devourment77

Thanks for submitting this issue.

I am able to reproduce the issue in the browser, as well as in Node. We will update you once we’ve got the right way to get this resolved sorted out.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Class: Aws::KMS::Client — AWS SDK for Ruby V3
Imports key material into an existing symmetric encryption KMS key that was ... Aws::CognitoIdentityCredentials - Used for loading credentials from the ...
Read more >
generateDataKey error Signature expired on AWS KMS?
I am working with my client so I cloned git repo and built application which use AWS KMS to generate data key. All...
Read more >
AWS KMS Expired Token error on generating new root from ...
Hi, I've setup AWS KMS auto-unseal according to the docs with vault ... error decrypting data encryption key: ExpiredTokenException: The ...
Read more >
IdP | Noise | Page 2
To sign JWT tokens, you need an encrypted plaintext key, to be stored in KMS. You will need to complete this step even...
Read more >
Amazon Web Services (AWS) Key Management Service (KMS ...
In the example below, they will expire after 900 seconds. After that time, MariaDB may be unable to generate new encrypted data keys,...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found