Decode an Encrypted Authorization/Error message

HOWTO: Decode an Encrypted Authorization/Error message

Some actions that involve IAM permissions may return a Client.UnauthorizedOperation response (an HTTP 403 response).

The message is encoded because the details of the authorization status can constitute privileged information that the user who requested the operation potentially should not see. To decode an authorization status message you can use the AWS Command Line (CLI).

Please refer to the AWS documentation on how to install the CLI: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html

When you recieve an error such as:

You are not authorized to perform this operation. 
Encoded authorization failure message:
4Ai9qvVQYCx3kKoQaOtnKpzKCvrDlzzn_8R3vhbWP-TGw5hHcV-nA1oa2OYqRJGLTVXT5ObYDbfI1VxJv6wIxIkcDra0jmVs3wbRel4fvv9Q6qQp8MepKs7lPvJuRuSyUzL90NpNNwImtrXQgoeipGU_aeZiaBI35CU2rhuykvMtwY9HHOH5tJzCmjv-wmQmRcuk5opQkOuipSzyoCSNne-0QekiaUe_vBGcfmSEK1lyc9xU9YndY8aXAz5sI5LOKUz9PBoiLs_ph8zKW0Nv1GHjjsXjoMrHp5uSBoECyWAazFpBsH7TzIVNdnp9NExuq68e5GqpOpjc2__wSrlRntWRkL9RKcAIy_Eg-eoy8emmF9iDRGweli0lytGJFnnf_h7RpTI9UtE8nV7FXcdcbXrX6fmgRWW87DyyfelMJuCcG5AWXWuJY37Cco4r90QqB8c9EALL5R4wAdHlqyPQl3hyVng21GHo6ZETWCNzR28jDlwpnfamvZoUunqdIvbmNWAYQgkFIccfER9snJTCNUF-Srkkc2QhEzBFpNK9HokCzi06m0u7CxPM4Az-1M1Zu84rV0fXcLawmyDZQzXoRkSVY5fnvd-LPwc2SOKK98hP8bO7M1iIiFIZAGko4clebWclbqHA1HMPH5p6JxozIPWAaxdACoPy48XAz-rzQAGKq83ASRYtO2BIEUYrbZCZEHpNdn8J1KLtZOK5nS8_xRGS-mqx4XliSv3lXhqHfABtEIuEd6wWNyRGShKnaY8srUtOX6v2dzbLe5DLrj-tIFsuBdbq1Fmj5P5qGgiw05b7


You can decrypt the message from the CLI using the following command:

$> aws sts decode-authorization-message --encoded-message <encoded message from error>

This will give you an output that looks like:

{"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"APOZIAANAVSK6I6FK2RQI:i-66c78ee7\",\"arn\":\"arn:aws:sts::<aws-account-id>:assumed-role/my-role-ec2/i-123456e7\"},\"action\":\"iam:PassRole\",\"resource\":\"arn:aws:iam::<aws-account-id>:role/my-role-ec2\",\"conditions\":{\"items\":[]}}}"}

The error message is actually encoded JSON inside "", by default the embdeded quotes (") are escaped as \", to facilitate reading the error extract the message portion and use a text editor to replace \" with "

Resulting in:

{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"APOZIAANAVSK6I6FK2RQI:i-66c78ee7","arn":"arn:aws:sts::<aws-account-id>:assumed-role/my-role-ec2/i-123456e7"},"action":"iam:PassRole","resource":"arn:aws:iam::<aws-account-id>:role/my-role-ec2","conditions":{"items":[]}}}

You can then use any tool to clean up the json (e.g. https://jsonformatter.org/json-pretty-print or Visual Studio Code) to format the json into a easily readable form:

{
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "APOZIAANAVSK6I6FK2RQI:i-66c78ee7",
"arn": "arn:aws:sts::<aws-account-id>:assumed-role/my-role-ec2/i-123456e7"
},
"action": "iam:PassRole",
"resource": "arn:aws:iam::<aws-account-id>:role/my-role-ec2",
"conditions": {
"items": []
}
}
}

 

Was this article helpful?
0 out of 0 found this helpful