While using AWS CLI, if you get an Encoded authorization failure message like the one below, decoding it requires one more command.
1
2
3
4
5
6
7
|
A client error (UnauthorizedOperation) occurred when calling the RunInstances operation:
You are not authorized to perform this operation. Encoded authorization failure message:
oGsbAaIV7wlfj8zUqebHUANHzFbmkzILlxyj__y9xwhIHk99U_cUq1FIeZnskWDjQ1wSHStVfdCEyZILGoccGpCiCIhOR
ceWF9rRwFTnEcRJ3N9iTrPAE1WHveC5Z54ALPaWlEjHlLg8wCaB8d8lCKmxQuylCm0r1Bf2fHJRUjAYopMVmga8olFmKAl
9yn_Z5rI120Q9p5ZIMX28zYM4dTu1cJQUQjosgrEejfiIMYDda8l7Ooko9H6VmGJXS62KfkRa5l7yE6hhh2bIwA6tpyCJy
2LWFRTe4bafqAyoqkarhPA4mGiZyWn4gSqbO8o-uqSIvWYPweaKGkampa0arcFR4gBD7Ph097WYBkzX9hVjGppLMy4jpXRv
jeA5o7TembBR-Jvowq6mNim0
|
You can run the command below to decode the encoded authorization message. The only requirement is your user has to have access to sts:DecodeAuthorizationMessage API.
1
2
3
4
5
6
|
$ aws sts decode-authorization-message --encoded-message
oGsbAaIV7wlfj8zUqebHUANHzFbmkzILlxyj__y9xwhIHk99U_cUq1FIeZnskWDjQ1wSHStVfdCEyZILGoccGpCiCIhOR
ceWF9rRwFTnEcRJ3N9iTrPAE1WHveC5Z54ALPaWlEjHlLg8wCaB8d8lCKmxQuylCm0r1Bf2fHJRUjAYopMVmga8olFmKAl
9yn_Z5rI120Q9p5ZIMX28zYM4dTu1cJQUQjosgrEejfiIMYDda8l7Ooko9H6VmGJXS62KfkRa5l7yE6hhh2bIwA6tpyCJy
2LWFRTe4bafqAyoqkarhPA4mGiZyWn4gSqbO8o-uqSIvWYPweaKGkampa0arcFR4gBD7Ph097WYBkzX9hVjGppLMy4jpXRv
jeA5o7TembBR-Jvowq6mNim0
|
Output
1
2
3
4
5
6
7
8
|
{
"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,
\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},
\"context\":{\"principal\":{\"id\":\"APOZIAANAVSK6I6FK2RQI:i-66c78ee7\",
\"arn\":\"arn:aws:sts::<aws-account-id>:assumed-role/my-role-ec2/i-123456e7\"},
\"action\":\"iam:PassRole\",\"resource\":\"arn:aws:iam::<aws-account-id>:role/my-role-ec2\",
\"conditions\":{\"items\":[]}}}"
}
|
Which means PassRole API call was the one which the request needed.
More information is on the official documentation page