Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS - DecodeAuthorizationMessage Not authorized to decode message

Tags:

amazon-web-services

Even though I'm an admin on the account, I added an IAM role as follows on a specific EC2 and I'm still getting the same error:

An error occurred (InvalidAuthorizationMessageException) when calling the DecodeAuthorizationMessage operation: Not authorized to decode message

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:DecodeAuthorizationMessage"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Why can't I decode the error message?

like image 971
Omer Shliva Avatar asked Dec 22 '19 09:12

Omer Shliva

2 Answers

This error message is misleading. You have privileges to decode the message but you're sending an invalid message to decode.

InvalidAuthorizationMessage
The error returned if the message passed to DecodeAuthorizationMessage was invalid. This can happen if the token contains invalid characters, such as linebreaks.

If you were not authorized to perform the operation you'd receive an error message similar to this:

A client error (AccessDenied) occurred when calling the DecodeAuthorizationMessage operation

References

  • API_DecodeAuthorizationMessage
  • Troubleshoot IAM Policy Issues
like image 120
kenlukas Avatar answered Oct 23 '22 03:10

kenlukas

I ran into the same error message today. In my case, the encoded input message was a valid error message from one AWS account, but unfortunately I was using a default user profile with privileges to decode an authorization error message from a different AWS account. So the error returned from the decode-authorization-message command was accurate, I did not have the necessary privileges to decode the message sent in. The fix was to get the necessary credentials through the AWS SSO login process, copy those into the .aws/credentials file, and try again.

Notes: (1) it's a good idea to back up the aws credentials file prior to editing it. (2) Also, use the command line option --profile {profile name} to switch to a user profile other than the default. (3) The AWS credentials for an SSO user include a token which eventually expires - I do not know the time limit - so if you want to use the CLI with the same SSO user later, you may need to regenerate and save updated credentials first.

like image 21
patricks Avatar answered Oct 23 '22 05:10

patricks
Sign in to Comment

Related questions

signtool fails to sign a binary with a key from a AWS CloudHSM
How AWS KMS determine which key to use when decrypt?
Reference "Self" in aws cloudformation template?
Connecting to Aurora Serverless remotely
AWS Glue: ETL to read S3 CSV files
How much it cost to use Amazon S3 for Video Streaming backend?
Enabling HTTPS and HTTP with Elastic Beanstalk application
What are Vended Logs in AWS CloudWatch?
AWS AutoScaling CoolDown components
Mocking promise from DynamoDB Documentclient
Create/update Amazon Athena tables from Amazon S3 bucket files
How to access redis logs on AWS ElastiCache
Specify a SerDe serialization lib with AWS Glue Crawler
AWS CodeBuild Colorized logs
Getting the response results from an asynchronous call to AWS lambda in python
How to output AWS CDK synth to terminal/web browser [if possible]
Amazon Aurora PostgreSQL SELECT INTO OUTFILE S3
CannotPullContainerError: context canceled error when starting ECS task
AWS Amplify & React - Module not found: Can't resolve '@aws-amplify/analytics'
How to upload a file to Amazon Glacier Deep Archive using boto3

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!