Credential should be scoped to a valid region

TL;DR — Signature Version 4 bakes a region into each request's credential scope. This error means the region in that scope doesn't match the region of the endpoint you actually hit — you signed for one region and sent the request to another (or used an invalid region code). Make the client's configured region match the endpoint you call.

What it means

InvalidSignatureException: Credential should be scoped to a valid region, not 'us-west-1'.

Every signed AWS request carries a credential scope — a date/region/service/aws4_request string the signature is computed over. AWS re-derives the expected signature from the endpoint that received the request. If the region embedded in your scope isn't the region serving the request, verification fails with this message. It's an HTTP 400, client-side, and not retryable until the region is corrected.

Why it happens

  • Signed for one region, sent to another — the SDK's configured region differs from a hard-coded or overridden endpoint pointing at a different region.
  • A custom endpoint without a matching region — you set endpoint: https://dynamodb.eu-west-2.amazonaws.com but left the client region at eu-west-1.
  • An invalid or empty region string — a typo or an unset env var yields a scope AWS can't accept as valid.
  • A proxy or gateway that forwards the request to a different regional endpoint than the one it was signed for.

How to fix it

  1. Match the client region to the endpoint. If you point at dynamodb.<region>.amazonaws.com, set the client's region to that same <region>.
  2. Prefer setting only the region and let the SDK build the endpoint — drop manual endpoint overrides unless you truly need one (e.g. DynamoDB Local).
  3. Verify the region code is valid (us-east-1, eu-west-2, …) and actually set — check AWS_REGION/AWS_DEFAULT_REGION and any config file.
  4. For assumed-role or cross-region setups, confirm the request is signed with the region you intend to send it to, not a default inherited elsewhere.

For DynamoDB Local, point the endpoint at http://localhost:8000 and give the client any consistent region — the region just has to match what the client signs with.

无需控制台即可使用 DynamoDB

DynoTable 是面向 DynamoDB 的快速桌面客户端 —— 浏览表、运行 SQL 风格的查询,并在本地编辑项。