diff --git a/aws-http-auth/internal/v4/signer.go b/aws-http-auth/internal/v4/signer.go
index ff5195cf..c8c7db63 100644
--- a/aws-http-auth/internal/v4/signer.go
+++ b/aws-http-auth/internal/v4/signer.go
@@ -57,7 +57,7 @@ func (s *Signer) Do() error {
 	stringToSign := s.buildStringToSign(canonicalRequest)
 	signature, err := s.Finalizer.SignString(stringToSign)
 	if err != nil {
-		return nil
+		return err
 	}
 
 	s.Request.Header.Set("Authorization",
diff --git a/aws-http-auth/sigv4a/sigv4a_test.go b/aws-http-auth/sigv4a/sigv4a_test.go
index fb6c2bc4..801afe2d 100644
--- a/aws-http-auth/sigv4a/sigv4a_test.go
+++ b/aws-http-auth/sigv4a/sigv4a_test.go
@@ -2,6 +2,7 @@ package sigv4a
 
 import (
 	"crypto/ecdsa"
+	"crypto/rand"
 	"encoding/asn1"
 	"encoding/hex"
 	"fmt"
@@ -379,3 +380,27 @@ func getSignature(r *http.Request) (
 
 	return parts[0], parts[1], sig, nil
 }
+
+type readexploder struct{}
+
+func (readexploder) Read([]byte) (int, error) {
+	return 0, fmt.Errorf("readexploder boom")
+}
+
+func TestSignRequest_SignStringError(t *testing.T) {
+	randReader := rand.Reader
+	rand.Reader = readexploder{}
+	defer func() { rand.Reader = randReader }()
+	s := New()
+
+	err := s.SignRequest(&SignRequestInput{
+		Request:     newRequest(http.NoBody),
+		PayloadHash: []byte(v4.UnsignedPayload),
+	})
+	if err == nil {
+		t.Fatal("expect error but didn't get one")
+	}
+	if expect := "readexploder boom"; expect != err.Error() {
+		t.Errorf("error mismatch: %v != %v", expect, err.Error())
+	}
+}