SignatureDoesNotMatch error and push notifications are not working in Identity Cloud
The purpose of this article is to provide assistance if you receive a 403 SignatureDoesNotMatch error and notice push notifications are not working in ForgeRock Identity Cloud.
Symptoms
Push notifications are not working in the staging or production environments after promoting changes but still work in the development environment.
You may see the following error when this happens:com.amazonaws.services.sns.model.AmazonSNSException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. (Service: AmazonSNS; Status Code: 403; Error Code: SignatureDoesNotMatch; Request ID: ad4a64de-2387-5eeb-baf3-78e86d5f76e9; Proxy: null)\n\tat
Recent Changes
Configured the Push Notification service with an encrypted secret.
Promoted configuration.
Causes
The encrypted secret (AWS Secret Access Key in this instance) has been added directly to the Push Notification service. All encrypted secrets must be created as ESV secrets, otherwise, they will not be promoted and/or work as expected.
Solution
This issue can be resolved by creating an ESV secret for the AWS Secret Access Key in your development environment. Ensure the ESV name exists in your staging and production environments before you promote your changes.
See Introduction to ESVs for further information.
See Also
How To Configure Service Credentials (Push Auth, Docker) in Backstage