AWS CLI: Decode authorization message

2 min read

When a user is not authorized to perform a certain operation on the AWS API, a HTTP 403 is returned (Client.UnauthorizedOperation) and may include encoded message that provides additional details about this authorization failure. This encoded message can be decoded using aws cli

Let's assume we are getting a message similar to this one that contains an encoded message:

karpenter-controller-596fc9748f-44558 manager 2021-12-02T08:39:52.320Z  ERROR controller.provisioning Provisioning failed, launching capacity, launching instances, with fleet error(s), UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: MTM2NzAgbm90IDMwMTQyIGFuIDUxODkgYWN0dWFsIDE4ODA4IG1lc3NhZ2UKMjc3ODIgbm90IDE5NTUgYW4gMjUzNTggYWN0dWFsIDE4OTM3IG1lc3NhZ2UKMTQ5OTYgbm90IDI2NDkwIGFuIDExNzA0IGFjdHVhbCA1NDUwIG1lc3NhZ2UKMTkwMTUgbm90IDU5NDkgYW4gMTQ3ODcgYWN0dWFsIDI0NzQ1IG1lc3NhZ2UKODE4NCBub3QgMjQ5MyBhbiA1MTM0IGFjdHVhbCAxMzQ1MiBtZXNzYWdlCg; UnfulfillableCapacity: Unable to fulfill capacity due to your request configuration. Please adjust your request and try again. {"commit": "84b683b", "provisioner": "pet2cattle"}

To decode it we can use aws sts decode-authorization-message and since it's going to be a json message we can use jq to visualize it like so:

$ aws sts decode-authorization-message --encoded-message <encoded message> --query DecodedMessage --output text | jq '.'

So for the example above we can use the following command:

$ aws sts decode-authorization-message --encoded-message 'MTM2NzAgbm90IDMwMTQyIGFuIDUxODkgYWN0dWFsIDE4ODA4IG1lc3NhZ2UKMjc3ODIgbm90IDE5NTUgYW4gMjUzNTggYWN0dWFsIDE4OTM3IG1lc3NhZ2UKMTQ5OTYgbm90IDI2NDkwIGFuIDExNzA0IGFjdHVhbCA1NDUwIG1lc3NhZ2UKMTkwMTUgbm90IDU5NDkgYW4gMTQ3ODcgYWN0dWFsIDI0NzQ1IG1lc3NhZ2UKODE4NCBub3QgMjQ5MyBhbiA1MTM0IGFjdHVhbCAxMzQ1MiBtZXNzYWdlCg'  --query DecodedMessage --output text | jq '.'
{
  "allowed": false,
  "explicitDeny": true,
  "matchedStatements": {
    "items": [
      {
        "statementId": "AllowLaunchOnlyWithRequiredTags1",
        "effect": "DENY",
        "principals": {
          "items": [
            {
              "value": "AROA3LRN4U66JJ3M4IDWO"
            }
          ]
        },
        "principalGroups": {
          "items": []
        },
        "actions": {
          "items": [
            {
              "value": "ec2:RunInstances"
            }
          ]
        },
        "resources": {
          "items": [
            {
              "value": "arn:aws:ec2:*:*:instance/*"
            }
          ]
        },
        "conditions": {
          "items": [
            {
              "key": "aws:RequestTag/billing",
              "values": {
                "items": [
                  {
                    "value": "true"
                  }
                ]
              }
            }
          ]
        }
      },
(...)

Please notice I have changed the actual encoded message to be shorter, so this command won't actually work using this made up encoded message, it's just for demonstration purposes.


Posted on 08/12/2021

Categories