amazon-web-services amazon-ec2 amazon-iam aws-policies

Decoding an Encrypted Authorization/Error message in AWS

Some actions that involve IAM permissions may return a Client.UnauthorizedOperation responses.

Solution

You can decrypt the message from the CLI using the following command:

$> aws sts decode-authorization-message --encoded-message <encoded message from error>

This will give you an output that looks like:

{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"APOZIAANAVSK6I6FK2RQI:i-66c78ee7","arn":"arn:aws:sts::<aws-account-id>:assumed-role/my-role-ec2/i-123456e7"},"action":"iam:PassRole","resource":"arn:aws:iam::<aws-account-id>:role/my-role-ec2","conditions":{"items":[]}}}

The error message is actually encoded JSON inside "", by default the embedded quotes (") are escaped as \"; to facilitate reading the error, extract the message portion and use a text editor to replace \" with ".

Upload via presigned request - 403 forbidden for Unicode Filename
Best practices for developing scalable video transcoding server on Amazon Web Services?
Enable compression for AWS SQS Java API or how to tell if it's already on?
Getting no basic auth credential from AWS ECR when pulling image
How to load npm modules in AWS Lambda?
Amazon EFS vs S3: Which is better for appending small chunks of data to large files?
Is there a way to delay DynamoDB stream emissions while nearly parallel data is upserted to a record?
Push docker image to amazon ecs repository
AWS SSM Agent - Using the aws cli, is there a way to list all the AWS instances that are missing the SSM agent?
CloudFormation is not authorized to perform: iam:PassRole on resource
S3 - Access-Control-Allow-Origin Header
How to run AWS codeartifact login and keep default registry
aws s3api restore-object permission error
AWS Amplify Functions allow.resource() not working
Is it possible to enrich a message on an sqs queue
Does EKS Auto Mode use AWS Load Balancer Controller?
kubectl error You must be logged in to the server (Unauthorized) when accessing EKS cluster
AWS Elasticache -- How to flush node from console?
How to parameterize prevent_destroy lifecycle configuration in Terraform?
RDS instance start: which subnet/AZ is selected?
Connection refused error (127.0.0.1:4566) for Localstack S3
Problem with file directory link in amazon s3
Can I use aws-advanced-jdbc-wrapper with MySQL?
Creating Lambda Snapstart with Typescript CDK
How to force SQL Server container to immediately update MDF file in Docker volume?
AWS Cloudwatch agent config file removed after startup
AWS lambda SQS does not allow to process 1 message per 1 invocation
How can I create a TLS/SSL connection to a mongodb instance on AWS with a certificate made by certificate manager? Health check failed
Cloudfront redirect when signed cookies not present
AWS Lambda and DynamoDB - updatetItem is not a function