How do I troubleshoot the Client.UnauthorizedOperation error while provisioning CIDR from the IPAM pool?

3 minute read

I want to troubleshoot the Client.UnauthorizedOperation error I get while provisioning CIDR from the Amazon VPC IP Address Manager (IPAM) pool.

Short description

When you run the AWS Command Line Interface (AWS CLI) command provision-public-ipv4-pool-cidr from your shared IPAM pool you might get the following error, even though you have administrator access:

Client.UnauthorizedOperation
You are not authorized to perform this operation. Encoded authorization failure message

This error occurs if you didn't use the AWSRAMDefaultPermissionsIpamPool permission set when sharing the pool. Most likely you used the AWSRAMPermissionIpamPoolByoipCidrImport permission set instead. Use this permission only if you've existing BYOIP CIDRs and you want to import them to IPAM.

Use the permission AWSRAMDefaultPermissionsIpamPool to allow principals to view CIDRs and allocations and allocate or release CIDRs in the shared pool.

Note: The pool is shared from account A to account B. Account B observes this error while provisioning CIDRs. However, you need to resolve the error in account A.

For more information on permissions, see Share an IPAM pool using AWS RAM.

Resolution

Follow these steps in account A to resolve the error.

List the permisssions

Use the CLI command to list the permissions set with the resource share. This returns the ARNs of the permissions.
Note: If you receive errors when running the CLI command, make sure that you're using the most recent version of AWS CLI.
```
aws ram list-resource-share-permissions --resource-share-arn <ARN of the resource share of IPAM Pool>
```
Note: Replace <ARN of the resource share of IPAM pool> with the ARN of the shared IPAM pool.

Then, run the following CLI command to view the details of the permissions:

aws ram get-permission --permission-arn <ARN of the Permission>

Note: Replace <ARN of the Permission> with the ARN of the permission in the resource share.

Update the resource share

If the list shows you chose permission AWSRAMPermissionIpamPoolByoipCidrImport, change the permission as follows:

Navigate to the Shared by me: Resource shares page in the AWS RAM console.
Select the resource share and then choose Modify.
Choose Next.
Under Associate a managed permission with each resource type, choose AWSRAMDefaultPermissionsIpamPool.
Choose Next, Go to Review and Update.
Choose Update resource share.

Note: If you've updated your permission to AWSRAMDefaultPermissionsIpamPool but get the Client.UnauthorizedOperation error, contact AWS Support.

Topics

Networking & Content Delivery

Relevant content

Does AWS Control Tower have integrations with the AWS VPC IPAM service?
AWS-User-HibaK
asked 2 years ago
Windows console: run AWS CLI command inside shell command error
rePost-User-4717319
asked 9 months ago
Create Synthetics Canary from the command line as defined by the AWS console wizard
Javier Lopez
asked 5 months ago
IPAM nested pool
WhoDoneIt
asked 2 years ago
Beginner cannot get root access to the AWS Command Line Interface
Accepted Answer
knox
asked 2 years ago
How do I move my BYOIP CIDR from one account to another account using IPAM?
AWS OFFICIALUpdated 9 months ago
Why do I receive errors when I run AWS CLI commands?
AWS OFFICIALUpdated 7 months ago
How do I resolve the "Resource specification is invalid" error when I run the cfn generate command using the CloudFormation CLI in CloudFormation?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot errors that I received while creating Route 53 resource record sets using the AWS CLI?
AWS OFFICIALUpdated 2 years ago
How do you run the Petrel software on AWS?
EXPERT
Alberto-AWS
published 7 months ago