search cancel

API Gateway: AWS 4 Signer error "The request signature we calculated does not match the signature you provided".


Article ID: 186297


Updated On:


CA API Gateway CA Microgateway


This article will discuss the topic of the AWS 4 Signer assertion and an error that can be observed from time to time.

There exists a "tactical" assertion called AWS 4 Signer, and on occasion when setting this up with a new backend (i.e. AWS Gateway, or AWS

{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'GET\n/namespaces/<path>\n\nhost:<hostname>\nx-amz-date:20191225T035426Z\nx-amz-security-token:<token>\n\nhost;x-amz-date;x-amz-security-token\<securityToken>'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\n20191225T035426Z\n20191225/<region>/execute-api/aws4_request\<requestID>'\n"}


This article applies to all supported versions of the API Gateway using the AWS 4 Signer tactical assertion.


There is often nothing to be done on the assertion / in the API Gateway, as it is most often working as designed. There is a need to pay attention to the exact message being returned by AWS systems, and making sure the values used are in the format expected by AWS.

Much of whether it will work or not will depend on the particular AWS backend being routed to and if it requires specifics outside of what the assertion-alone provides. For example, if routing to an AWS API Gateway backend, it typically requires its own additional headers and data in the request which likely were not received if you are seeing the error noted in this article. Ensure that the requests are formatted correctly to match what the backend is expecting.

Amazon Support may need to be contacted, if available, for more details on the error they are responding with.

Additional Information