- 최신
- 최다 투표
- 가장 많은 댓글
The message is encoded for security purposes. The user may already have the permissions to decode it, but it won't be shown decoded in the console. In order to decode the message, open CloudShell and use the following command:
aws sts decode-authorization-message --encoded-message <encoded_message> \
--output text | jq '.'
When using CloudShell, it will assume privileges that are allocated to the logged in user / role.
To decode an authorization status message, a user must be granted permissions through an IAM policy to request the DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage
) action.
Give your SCP statements meaningful sids (Statement IDs)
to make it easier to figure out what is failing, otherwise you will have to evaluate the message once it is decode to figure out the root cause. You can use the --query
flag to retrieve the parts of the message that are relevant to you.
You cannot customize the error message. You can get more information about the failed request without decoding the message by looking through your CloudTrail logs, however I would advice against granting permissions to read the CloudTrail logs in general. Granting permissions to decode sts authorization messages is the best compromise, in my opinion.
관련 콘텐츠
- AWS 공식업데이트됨 8달 전