By using AWS re:Post, you agree to the AWS re:Post Terms of Use

"Signature not yet current" in test environment

0

In an AWS test environment, our testers frequently need to change the date/time on instances as part of their test suites. Unfortunately, this appears to break Session Manager authentication. The SSM agent generates errors such as:

2021-05-27 18:58:54 ERROR {HandleAwsError @ awserr.go.49} {ssm-agent-worker} {HealthCheck} error when calling AWS APIs. error details - InvalidSignatureException: Signature not yet current: 20210527T175854Z is still later than 20210430T180355Z (20210430T175855Z + 5 min.)
status code: 400, request id: caaa36f2-c644-4c91-b461-0dbd8a51774e

In the above case, the (Windows 10) instance's clock was set to a future date. Is there any configuration option that would allow us to bypass date-based checks during authentication? Presumably this is an SSL certificate issue.

I note from the AWS SDK that certain authentication options allow for a maximum clock drift of five minutes. Does this apply here?

In short: is there any way to keep Session Manager available despite changes to the system clock?

asked 4 years ago3K views
3 Answers
0
Accepted Answer

This is not supported in Session Manager (as it also makes AWS API calls).

Thanks.

AWS
answered 4 years ago
0

Hi @RobPomeroy,

SSM Agent uses AWS Go SDK, so the behavior you are seeing is expected.

Some more information here as well:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html#configure_ntp
"If you use the AWS CLI or an AWS SDK to make requests from your instance, these tools sign requests on your behalf. If your instance's date and time are not set correctly, the date in the signature may not match the date of the request, and AWS rejects the request."

AWS
answered 4 years ago
0

Right, that's what I feared. So my question remains: is there any way to keep Session Manager available despite changes to the system clock?

(I think I know the answer!)

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions