Credential should be scoped to a valid region
TL;DR — Signature Version 4 bakes a region into each request's credential scope. This error means the region in that scope doesn't match the region of the endpoint you actually hit — you signed for one region and sent the request to another (or used an invalid region code). Make the client's configured region match the endpoint you call.
What it means
InvalidSignatureException: Credential should be scoped to a valid region, not 'us-west-1'.Every signed AWS request carries a credential scope — a date/region/service/aws4_request string the signature is computed over. AWS re-derives the expected signature from the endpoint that received the request. If the region embedded in your scope isn't the region serving the request, verification fails with this message. It's an HTTP 400, client-side, and not retryable until the region is corrected.
Why it happens
- Signed for one region, sent to another — the SDK's configured
regiondiffers from a hard-coded or overriddenendpointpointing at a different region. - A custom endpoint without a matching region — you set
endpoint: https://dynamodb.eu-west-2.amazonaws.combut left the client region ateu-west-1. - An invalid or empty region string — a typo or an unset env var yields a scope AWS can't accept as valid.
- A proxy or gateway that forwards the request to a different regional endpoint than the one it was signed for.
How to fix it
- Match the client region to the endpoint. If you point at
dynamodb.<region>.amazonaws.com, set the client'sregionto that same<region>. - Prefer setting only the region and let the SDK build the endpoint — drop manual
endpointoverrides unless you truly need one (e.g. DynamoDB Local). - Verify the region code is valid (
us-east-1,eu-west-2, …) and actually set — checkAWS_REGION/AWS_DEFAULT_REGIONand any config file. - For assumed-role or cross-region setups, confirm the request is signed with the region you intend to send it to, not a default inherited elsewhere.
For DynamoDB Local, point the endpoint at http://localhost:8000 and give the client any consistent region — the region just has to match what the client signs with.
Related errors
- The request signature we calculated does not match — a broader SigV4 signature mismatch (bad secret key or canonicalization).
- The security token included in the request is invalid — bad or expired credentials rather than a region scope.
- You must specify a region — no region configured at all.