By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How can I resolve the "native lambda error:InvalidSignatureException: Signature expired" error when I use an AWS SDK to invoke a Lambda function?

3 minute read
0

When I use an AWS SDK to invoke my AWS Lambda function, the function returns a "Signature expired" error.

Short description

When the client time and server time don't match, the Lambda signature expires, and you receive an error message similar to the following one:

"Error: native lambda error:InvalidSignatureException: Signature expired: 20230118T161739Z is now earlier than 20230118T161739Z (20190318T162239Z - 5 min.)"

An API request must reach AWS within 5 minutes of the timestamp in the request or AWS denies the request. In some scenarios, you can change the client time to match the server time.

Resolution

When you use an AWS SDK to synchronously invoke a Lambda function, the connection lasts until the response is returned. By default, the Node.js SDK allows 50 connections. If the connection quota is reached, then the SDK queues the request locally until a connection is available. If you receive the "Signature expired" error and the following actions are true, then the connection quota might be reached:

  • The Lambda function isn't throttling.
  • The client time is correct.
  • (Node.js SDK only) You set the correctClockSkew:true option when you created the client so that the time is corrected when you invoke the function.
  • You invoked the Lambda function at a high rate or, you invoked the Lambda function at a high rate and the invocation runs for an extended period of time.

The SDK signs the request, and then puts the request in a queue. If the queue becomes too large and the request is pending for more than 5 minutes, then the signature expires. Because the signature is expired, all additional requests fail.

If you don't need the response from the invocation, then use asynchronous invocation. Asynchronous invocation allows the SDK to use the connection only to invoke the request and doesn't wait for a response.

You can also use Top Level Await (TLA) in your application. Use TLA if you make API calls outside of a handler, and you receive SignatureDoesNotMatch exceptions when you use Node.js AWS SDK v3.

Or, increase the maximum number of connections that the SDK allows.

Note: When you add connections, the Lambda function invokes at a higher rate and can cause throttling.

Related information

Monitoring and troubleshooting Lambda applications

How do I troubleshoot Lambda function invocation timeout errors?

How do I determine if my Lambda function is timing out?

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago
5 Comments

How to resolve this when you get this error while updating the lambda function from AWS SDK? Error: updating code for Lambda function: Signature expired: 20230512T173853Z is now earlier than 20230512T174113Z (20230512T174613Z - 5 min.)

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied 2 years ago

Hi there, thanks for this post, we have a bit of weird one, we are getting this error when called the CloudWatch SDK implying that we are calling it perhaps too much but we never saw this error when we were on aws-sdk v2 and are only seeing it since upgrading to v3. Has something changed in the way the SDK works that is only doing this in v3? Thanks

profile picture
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

for folks that are investigating the sdkv2 -> v3 issue, please see this bug discussion - https://github.com/aws/aws-sdk-js-v3/issues/5192#issuecomment-1857037911

replied 6 months ago