2 min read | by Jordi Prats
When a user is not authorized to perform a certain operation on the AWS API, a HTTP 403 is returned (Client.UnauthorizedOperation) and may include encoded message that provides additional details about this authorization failure. This encoded message can be decoded using aws cli
Let's assume we are getting a message similar to this one that contains an encoded message:
karpenter-controller-596fc9748f-44558 manager 2021-12-02T08:39:52.320Z ERROR controller.provisioning Provisioning failed, launching capacity, launching instances, with fleet error(s), UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: MTM2NzAgbm90IDMwMTQyIGFuIDUxODkgYWN0dWFsIDE4ODA4IG1lc3NhZ2UKMjc3ODIgbm90IDE5NTUgYW4gMjUzNTggYWN0dWFsIDE4OTM3IG1lc3NhZ2UKMTQ5OTYgbm90IDI2NDkwIGFuIDExNzA0IGFjdHVhbCA1NDUwIG1lc3NhZ2UKMTkwMTUgbm90IDU5NDkgYW4gMTQ3ODcgYWN0dWFsIDI0NzQ1IG1lc3NhZ2UKODE4NCBub3QgMjQ5MyBhbiA1MTM0IGFjdHVhbCAxMzQ1MiBtZXNzYWdlCg; UnfulfillableCapacity: Unable to fulfill capacity due to your request configuration. Please adjust your request and try again. {"commit": "84b683b", "provisioner": "pet2cattle"}
To decode it we can use aws sts decode-authorization-message and since it's going to be a json message we can use jq to visualize it like so:
$ aws sts decode-authorization-message --encoded-message <encoded message> --query DecodedMessage --output text | jq '.'
So for the example above we can use the following command:
$ aws sts decode-authorization-message --encoded-message 'MTM2NzAgbm90IDMwMTQyIGFuIDUxODkgYWN0dWFsIDE4ODA4IG1lc3NhZ2UKMjc3ODIgbm90IDE5NTUgYW4gMjUzNTggYWN0dWFsIDE4OTM3IG1lc3NhZ2UKMTQ5OTYgbm90IDI2NDkwIGFuIDExNzA0IGFjdHVhbCA1NDUwIG1lc3NhZ2UKMTkwMTUgbm90IDU5NDkgYW4gMTQ3ODcgYWN0dWFsIDI0NzQ1IG1lc3NhZ2UKODE4NCBub3QgMjQ5MyBhbiA1MTM0IGFjdHVhbCAxMzQ1MiBtZXNzYWdlCg' --query DecodedMessage --output text | jq '.'
{
"allowed": false,
"explicitDeny": true,
"matchedStatements": {
"items": [
{
"statementId": "AllowLaunchOnlyWithRequiredTags1",
"effect": "DENY",
"principals": {
"items": [
{
"value": "AROA3LRN4U66JJ3M4IDWO"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:instance/*"
}
]
},
"conditions": {
"items": [
{
"key": "aws:RequestTag/billing",
"values": {
"items": [
{
"value": "true"
}
]
}
}
]
}
},
(...)
Please notice I have changed the actual encoded message to be shorter, so this command won't actually work using this made up encoded message, it's just for demonstration purposes.
Posted on 08/12/2021