SFN Client throws InvalidSignatureException due to AWS SigV4 signature expiration in Lambda

[bayoudhi]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

We're encountering an InvalidSignatureException due to AWS SigV4 signature expiration when using the SFN client in a Lambda function that's triggered by an SQS FIFO queue. The error indicates that the request signature has expired beyond the 5-minute window allowed by AWS.

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/client-sfn@3.226.0, ...

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

Node.js 20.x (Lambda NodeJS runtime)

Reproduction Steps

Original Code (without credential resolution)

const { STATE_MACHINE_ARN } = process.env as StartAnalyticsStateMachineWorkerEnv;
const sfn = new SFNClient({});

const recordHandler = async (record: SQSRecord) => {
  try {
    await sfn.send(
      new StartSyncExecutionCommand({
        stateMachineArn: STATE_MACHINE_ARN,
        input: record.body,
      })
    );
  } catch (error) {
    logger.error("Error processing record", {
      error,
      record,
    });
    throw error;
  }
};

const processor = new SqsFifoPartialProcessor();
export const handler: SQSHandler = async (event, context) =>
  processPartialResponseSync(event, recordHandler, processor, {
    context,
  });

Attempted Fix (with forced credential resolution)

const recordHandler = async (record: SQSRecord) => {
  try {
    await sfn.config.credentials(); // force credential resolution - DIDN'T WORK
    await sfn.send(
      new StartSyncExecutionCommand({
        stateMachineArn: STATE_MACHINE_ARN,
        input: record.body,
      })
    );
  } catch (error) {
    logger.error("Error processing record", {
      error,
      record,
    });
    throw error;
  }
};

Observed Behavior

Signature expired: 20250617T103212Z is now earlier than 20250617T103417Z (20250617T103917Z - 5 min.)

Expected Behavior

The SFN client should generate fresh AWS SigV4 signatures for each request and execute the Step Function without signature expiration errors.

Possible Solution

No response

Additional Information/Context

• AWS SDK Version: @aws-sdk/client-sfn": "3.226.0"
• Runtime: AWS Lambda (Node.js)
• Trigger: SQS FIFO Queue
• Additional Dependencies: Using SQS partial batch processing from [AWS Lambda Powertools](https://docs.powertools.aws.dev/lambda/typescript/latest/utilities/batch/#fifo-queues)

[aBurmeseDev]

Hi @bayoudhi - thanks for reaching out.

Below are a couple similar issues that was previously reported in this repo and suggestions made by the team in comments. Please refer to them and let me know if issue persists.

• InvalidSignatureException: Signature expired: 20240820T230143Z is now earlier than 20240820T230302Z (20240820T230802Z - 5 min.) #6400
• InvalidSignatureException: Signature expired #6222

[bayoudhi]

Hi @aBurmeseDev, thanks for the quick response.

I reviewed them and they all recommend using top-level await, but unfortunately I can't use TLA here because my Step Functions request depends on the incoming Lambda event data:

await sfn.send(
  new StartSyncExecutionCommand({
    stateMachineArn: STATE_MACHINE_ARN,
    input: record.body, // ← Event-dependent data
  })
);

Since each SQS record contains unique data for the Step Functions input, the API call must happen inside the handler after processing each record. I can't move this logic outside the handler.

The signature expiration happens during long-running Lambda executions when processing multiple SQS records sequentially. Has anyone found a solution for signature expiration in event-driven scenarios where the API call can't be moved outside the handler?