How do I troubleshoot the Client.UnauthorizedOperation error while provisioning CIDR from the IPAM pool?

3 minute read

I want to troubleshoot the Client.UnauthorizedOperation error I get while provisioning CIDR from the Amazon VPC IP Address Manager (IPAM) pool.

Short description

When you run the AWS Command Line Interface (AWS CLI) command provision-public-ipv4-pool-cidr from your shared IPAM pool you might get the following error, even though you have administrator access:

You are not authorized to perform this operation. Encoded authorization failure message

This error occurs if you didn't use the AWSRAMDefaultPermissionsIpamPool permission set when sharing the pool. Most likely you used the AWSRAMPermissionIpamPoolByoipCidrImport permission set instead. Use this permission only if you've existing BYOIP CIDRs and you want to import them to IPAM.

Use the permission AWSRAMDefaultPermissionsIpamPool to allow principals to view CIDRs and allocations and allocate or release CIDRs in the shared pool.

Note: The pool is shared from account A to account B. Account B observes this error while provisioning CIDRs. However, you need to resolve the error in account A.

For more information on permissions, see Share an IPAM pool using AWS RAM.


Follow these steps in account A to resolve the error.

List the permisssions

  1. Use the CLI command to list the permissions set with the resource share. This returns the ARNs of the permissions.
    Note: If you receive errors when running the CLI command, make sure that you're using the most recent version of AWS CLI.
    aws ram list-resource-share-permissions --resource-share-arn <ARN of the resource share of IPAM Pool>
    Note: Replace <ARN of the resource share of IPAM pool> with the ARN of the shared IPAM pool.
  2. Then, run the following CLI command to view the details of the permissions:
    aws ram get-permission --permission-arn <ARN of the Permission>
    Note: Replace <ARN of the Permission> with the ARN of the permission in the resource share.

Update the resource share

If the list shows you chose permission AWSRAMPermissionIpamPoolByoipCidrImport, change the permission as follows:

  1. Navigate to the Shared by me: Resource shares page in the AWS RAM console.
  2. Select the resource share and then choose Modify.
  3. Choose Next.
  4. Under Associate a managed permission with each resource type, choose AWSRAMDefaultPermissionsIpamPool.
  5. Choose Next, Go to Review and Update.
  6. Choose Update resource share.

Note: If you've updated your permission to AWSRAMDefaultPermissionsIpamPool but get the Client.UnauthorizedOperation error, contact AWS Support.

AWS OFFICIALUpdated a year ago

Sorry, there was an error processing your request. Please try again and if the error persists, contact AWS Customer Support .

replied 2 days ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied 10 hours ago