How do I decode an encoded authorization error message for AWS Backup?

2 minute read

I want to decode an encoded authorization status message for AWS Backup.

Short description

A message is encoded because the details of the authorization status might contain privileged information that the user who requested the operation can't see. A decoded message includes the following type of information:

Whether the request was denied because of an explicit deny or the absence of an explicit allow. For more information, see Determining whether a request is allowed or denied within an account.
The principal who made the request.
The requested action.
The requested resource.
The values of conditions keys in the context of the user's request.

For example, if a user isn't authorized to perform an operation that they requested, the request returns a Client.UnauthorizedOperation response (an HTTP 403 response). Some AWS operations also return an encoded message that can provide details about an authorization failure.

Resolution

Prerequisite: You must have the sts:DecodeAuthorizationMessage AWS Identity and Access Management (IAM) permission to decode an authorization status message.

To decode an authorization status message, use the AWS Command Line Interface (AWS CLI) to run the decode-authorization-message command. The following is an example command:

Tip: If you're using a Linux-based operating system, then you can combine this command with the jq utility (from the GitHub website) to see a viewer-friendly output.

aws sts decode-authorization-message --encoded-message (encoded error message) --query DecodedMessage --output text | jq '.'

Note: If you receive errors when running AWS CLI commands, then make sure that you're using the most recent version of the AWS CLI.

The following is an example output of the preceding command:

{  
"allowed": false,  
  
…..  
  
"context": {  
"principal": {  
"id": "AROAAAAAAAAAA:AWSBackup-AWSBackupDefaultServiceRole",  
"arn": "arn:aws:sts::111122223333:assumed-role/AWSBackupDefaultServiceRole/AWSBackup-AWSBackupDefaultServiceRole"  
},  
"action": "iam:PassRole",  
"resource": "arn:aws:iam::111122223333:role/AmazonSSMRoleForInstancesQuickSetup",  
"conditions": {  
"items": [  
  
…..  
  
}

The example output shows that the restore role is AWSBackupDefaultServiceRole. The restore role must have the iam:PassRole permission so that it can interact with the AmazonSSMRoleForInstancesQuickSetup role that's required to restore the instance. To resolve this example issue, use the IAM policy to add permissions for the IAM role.

Related information

How do I troubleshoot failed Amazon EC2 restore jobs using AWS Backup?

Topics

Storage

Relevant content

How can I return a custom error message in the body through a lambda authorizer?
Frederico Pires
asked 10 months ago
Validation of the SES message signature fails because of the diamonds in the Message field
MarkBB
asked 5 months ago
How to create Keras's encoder-decoder model's endpoint?
steve13
asked 5 years ago
CloudFront is dropping Content-Length (might relate to Content-Encoding)
Michal
asked 10 months ago
Getting an error of "message": "User: arn:aws:iam::*****:user/**** is not authorized to perform: serverlessrepo:CreateCloudFormationTemplate on resource: #####.dkr.ecr.us-east-1.amazonaws.com/
rePost-User-9168878
asked a year ago
Why is my backup job in the EXPIRED status in AWS Backup?
AWS OFFICIALUpdated 9 months ago
How do I decode an authorization failure message after I receive an "UnauthorizedOperation" error during an EC2 instance launch?
AWS OFFICIALUpdated 2 months ago
How do I troubleshoot the “You are not authorized to perform this operation" error when I try to restore my Amazon EC2 instance?
AWS OFFICIALUpdated 10 months ago
How do I resolve the tagging permission error in my CloudFormation stack?
AWS OFFICIALUpdated 8 months ago
How to use JWT tokens for authorization with AWS KMS in NodeJs Lambdas
EXPERT
Antonio_Lagrotteria
published a month ago