Friday, October 12, 2018

AWS decode authorization message

AWS - How-to decode authorization error messages

Today I came across an interesting issue in AWS

I was mapping Jenkins to launch EC2 slaves dynamically[yes finally, i did it :-)]

The Launch configuration was giving some errors unreadable and was really confused about whats wrong and where

Finally identified, that the AWS Authorization messages thrown out on any request is bound to generate an encoded message, which is really confusing !!!

The encode message thus generated as part of EC2 access permissions error will have to deciphered by decoding the same using the AWS CLI utility. Yessss !!! AWS has it all !!!

Usage Syntax:

  1. connect to the EC2 which is raising this permission/authorization error
  2. from AWS CLI, aws sts decode-authorization-message  --encoded-message <<paste the encoded error here>>
  3. Now AWS responds with the hinted english text for us to understand the issue better


  1. The EC2 instance profile role(if launched using a profile role) should have sts:DecodeAuthorizationMessage policy added
  2. If EC2 is launched via user - access permissions, then IAM user need to have this privilege to sts:DecodeAuthorizationMessage
Hope this was useful to my fellow Cloud folks !!!

No comments:

Post a Comment