How do I decode an encoded authorization error message for AWS Backup?
I want to decode an encoded authorization status message for AWS Backup.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Prerequisite: You must have the sts:DecodeAuthorizationMessage AWS Identity and Access Management (IAM) permission to decode an authorization status message.
To decode an authorization status message, run the decode-authorization-message command.
If you use a Linux-based operating system, then run the following command with the jq utility:
aws sts decode-authorization-message --encoded-message (encoded error message) --query DecodedMessage --output text | jq '.'
For more information about jq, see jq on the ./jq website.
Example output:
{ "allowed": false, ... . . "context": { "principal": { "id": "AROAAAAAAAAAA:AWSBackup-AWSBackupDefaultServiceRole", "arn": "arn:aws:sts::111122223333:assumed-role/AWSBackupDefaultServiceRole/AWSBackup-AWSBackupDefaultServiceRole" }, "action": "iam:PassRole", "resource": "arn:aws:iam::111122223333:role/AmazonSSMRoleForInstancesQuickSetup", "conditions": { "items": [ ... . . }
The preceding example output shows that the restore role is AWSBackupDefaultServiceRole. The restore role must have the iam:PassRole permission to interact with the AmazonSSMRoleForInstancesQuickSetup role that's required to restore the instance. To resolve this issue, add the iam:PassRole permission to the IAM policy for the restore role.
Relevant content
- asked 3 years ago
- asked 7 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 12 days ago
