I want to propose to enhance the Documentation "I'm authorized but I'm still getting 403s" (https://docs.quay.io/issues/auth-failure.html)

As recently discovered, Pre-signed URI's from quay to backend blobs rely on time synchronization between the Quay instance and the Backend. With a default of ~10minutes, drifts between the Quay instance and the Backend larger than that, will return 403 errors even though authentication and permissions are setup/configured correctly.

Proposing to add another section to the page https://docs.quay.io/issues/auth-failure.html to avoid creation of cases and ensure, people do keep time sync issues on their mind.

Time differs between the Quay instance and the S3 backend system
Presigned URIs to access then backend are only valid for a certain amount of time. To large drifts between the Quay instance and the S3 backend will result in unauthenticated responses and return a HTTP 403 error