By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to show meaningful message with Tag Policy

1

When I added Tag Policy to my resources I can't get the show a meaningful error message to the users that are violating this policy.

They get a message with encoded authorization failure message that looks like this:

Instance launch failed
You are not authorized to perform this operation. Encoded authorization failure message: P1LEqsQ1orBoHehDtgplDLEXWiLanDeBQnxbP1nuXL6lPD4dPu9ziQleETlPnaHFjAVKJmdn4ZGl6xdTiD2LQILFWnqcHDAvZprs4aGvJ3WTS_igTs0Mxewe6ujcyUH1LcG7XhzgqUNEKEQGXvgNIQRpexi5HS0ggON_sJe5HRDFPjR8LciUwS1cJgQ1EnPagzU-Pm_ugNxuTBtp6K1SMLBM06JylxliLDI4IOuEx-PCirEGqPQ5H90nOVWA23Q6ah-UJ5WOmWnbC9lwvVjneDZ3VjoNJa3swU5zxbi-TTAHdMxAEY1RxpQ4F8T5OP-N-1qgXzuvWJArmMkIQ-1FDt28nM_76FMH8xateCHC1Ip9iJT0Jhwfjk9SSfRur37a3H1xILZfd-VwvlL2JJJZxR_YBb7lMiIvwutFRnBMCzNsAklA9cvxK03HQZmhzcov568iysIb8-WQwVrROJHtdKmfxZ5fX5RX58nfolurWQJBAnrlYCPiXZx1kqhFAm4p7pdXh5RyaJ_3tGYiFpeqnNUIHtVmhkEQdzsPmRomQh-GwYD6g3x3hRL2hh7eAjtH8ZfgIf67ofvOH19ErcHYHRLJjelwyrGudiFGMgKerqkscj8d0n2y4R8ddp8eNG6XkUARPEAAUF_l3z3MxMM6N6Ka5iV--8VCr1ikIkZLj-BNy9-EBWk7G64bJvWMAjyczTv1agRae_kGi_r773BWhKEaqhT82kCxwyfxmvy6WINhYiboPQ5cW-r_4EsJ61lgf9_HYT2kzClZcv_-8XAapHaugmeyZJSBxy4eUYfeGa4t7mwRzJhp0-Rtc19QeHMkzIIm1SIRSABijLsYO0950DbsGkosf1YufifYolTNU9swq5mcsVoZGA
Launch log
Initializing requests
Succeeded
Creating security groups
Succeeded
Creating security group rules
Succeeded
Launch initiation
Failed

I saw that there is an API call in STS that can decode it, which I couldn't really make work myself, since I don't know in which account to run it in my Organization. Nevertheless, it is not usable for the users that get this in the console or CLI.

What configurations or permissions I should add to make the error messages more meaningful?

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Account ManagementIAM PoliciesTagging
Language
English
MLGuy
asked a year ago322 views
1 Answer
0

CloudTrail will have a record of this event, which in this case would specifically be 'RunInstances'. Within this event we will be presented with a record of the operation attempted, including the user/role, event source, and tag information that we could use to compare against the configured tag policy. Additionally, we have the ability to centralize our CloudTrail log files from multiple accounts in an AWS Organization, which could be helpful from a reporting perspective.

Depending on the persistence of this issue, you may consider developing a custom notification system on CloudTrail events matching your criteria that would alert you to failed RunInstances operations resulting from a lack of required tag values.

https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/ https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html

profile pictureAWS
Darren R
answered a year ago
  • MLGuy
    a year ago

    Thanks @Darren R for your attention. This is a lot of effort for a simple need to show to the user who is trying to launch a resource that violates the tag policy to know what tag they should put. I can't believe there is not simple way to show the error message without this weird encoding.

  • Matt
    7 months ago

    MLGuy - Running into the same issue. Enforcing tagging becomes way less useful if the error messaging is as bad as it is here. I'm afraid the cons of confusing developers far outweighs the pros of enforcing tagging at a company-wide level. Did you ever come up with a good solution to fix this?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content