Decoding an Encrypted Authorization/Error message in AWS

Question

Some actions that involve IAM permissions may return a Client.UnauthorizedOperation responses.

score 3 · Accepted Answer · edited Jun 06 '22 at 17:17

You can decrypt the message from the CLI using the following command:

$> aws sts decode-authorization-message --encoded-message <encoded message from error>

This will give you an output that looks like:

{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"APOZIAANAVSK6I6FK2RQI:i-66c78ee7","arn":"arn:aws:sts::<aws-account-id>:assumed-role/my-role-ec2/i-123456e7"},"action":"iam:PassRole","resource":"arn:aws:iam::<aws-account-id>:role/my-role-ec2","conditions":{"items":[]}}}

The error message is actually encoded JSON inside "", by default the embedded quotes (") are escaped as \"; to facilitate reading the error, extract the message portion and use a text editor to replace \" with ".

score 1 · Answer 2 · answered Aug 17 '23 at 09:21

1

To get it more readable:

aws sts decode-authorization-message --encoded-message \
[the_message] | jq .DecodedMessage -r | jq

If you don't have jq you can take it e.g. from here https://stedolan.github.io/jq

answered Aug 17 '23 at 09:21

Putnik

5,925
7
38
58

score 0 · Answer 3 · answered Aug 20 '23 at 07:18

0

Run this below code for easier reading of the error in JSON format.

aws sts decode-authorization-message --encoded-message  <encode_message> --query DecodedMessage --output text | jq '.'

answered Aug 20 '23 at 07:18

Praveen Gowda

156
1
5

Decoding an Encrypted Authorization/Error message in AWS

3 Answers3