Decoding AWS access errors

23-Mar, 2017

AWS is a really amazing set of tools but when using it properly you want to ensure that you are running it using least privileged access. When testing this you often get a series of messages with the dreaded text of:

You are not authorized to perform this operation. Encoded authorization failure messageā€¦

Which is followed by an encoded string which is next to useless in working out what has gone wrong. As always, the fix can be found in the AWS CLI, specifically the decode-authorization-message. To decode the message run the following command:

aws sts decode-authorization-message --encoded-message <big_nasty_string>

and you will get a result as follows:

"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"SECRET\",\"name\":\"MyUser\",\"arn\":\"arn:aws:iam::000:user/MyUser\"},\"action\":\"iam:PassRole\",\"resource\":\"arn:aws:iam::000:role/MyRole-B4WV0JCNQVGU\",\"conditions\":{\"items\":[]}}}"

Now once again, not incredibly clear but by looking at it more closely you can see that it was denied ("allowed":false) when trying to execute the action "action":"iam:PassRole". In order to fix this problem I need to grant the User the iam:PassRole permission.

comments powered by Disqus