% aws ec2 run-instances --dry-run --image-id ami-033b95fb8079dc481 --instance-type r5.xlarge
An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. Encoded authorization failure message: oowy2KGHbElZ_IFXuCA6B_jEmiVBBVbGkcdxe2Q1FW8odHRJ0a9UDxb9fktjE6Bd9U_aA9o3aZRFK3FcrMVgi5NFkkvFrmO7oH0Bk5Q_Bj0NH1IP9g8dDzOn39lIGdPgizfZY4e279tStTbwyo1vu71HI9MYFySMSzQ3k9Hbh6iGKbbszfozw6Fded8Jp2gRdbrz3Hg8d5KhMUuSQPrHS0rBpVTqjIuG97vl3Lr_pq9Jnjp21rHsDbF63L1IlrFcyRuVPEdaUkArO0KZoWIcFYu94LNrpbFIt__cN7DLn8YzPU_y_xGHtjYCewrhHI3qRr5cTWn4aUiDDOdhoiVqUQwftmIwzvmJNFk4mjFY7opFMhobSjr3m9sFjrb3DVDK4UPAuJy7IEnVd3E8sc9GlUbsiPsU5HxSbcChrRj_qfNaXjG16XjemEIJk5nsr_lrpNi07acTvFuPm6zHDT8b0SKTZjpBoD5AJUenxsQMNcAgUklXm5GSGQUfhDZruF6JkwedxMCQtRsxr6NDfKiRRVz5BY-IBNd1wb5Mx-Fjv6Fr-Zv6CIscmTkVQiZq9FUYBSqM-OjV4LaB-Tg6uXjDU-95OJSNHw7s8ogVDdcB5NTFiCuzbwpVDU-KSGEt34XfZtNbcZvj6G-hp-thDm0XG7KE4gDpSLB0iuW5mYLP50K5KVxPlneskRo_9tkYKclmulrhfUEsxaBvKUWH97zc2bzx7iqu4ZIsT5IQuGrHbwnFYm8crSFPtgEtQH0Jc95XWq21cUF1B1Yef1SFAcBukO8hY27qlROzUKtlCLjGgE1G1h8cPnQNPoYvQ1Gg6KaS7jxCkJ_vJ8Ptjzsz1oiBhFHG6mqMw1hVmj9VEkIHYIqak4SGBujv1FxquHqbyo67kl4UWgGEDczQtZoGY35dOZMNkLrikKKgRKYWUDabPw40ac_Z2PN0L6kFtWuhAti3A8fE6gogvNFkqP444Z7GPxBg4woOvNRNxuUIDVKF9Fm-18K4sWm83e7C_7IGLh2HLDguPl_WsH0EMdshCzz3PBjULFbpogj4nGArHSKAFfNYQFDXv1CVPwBD7_LnKBSGCETGw07cE6jJjoQMOtHeu-NrARLkIiiQUfUfRHzqfL-Q41P-Bn3vTvYQ7qObDQcX2Blf4YDFbUk_W6kf2IIrCu4Qj9cUrLMYeyFg2KGowlt_9LJJAnsoOWWvwJ5TKOwLSi0Z
To decode the message, IAM permission "sts:DecodeAuthorizationMessage" required.
In order to make the command line readable, we use a variable "MSG" store the encoded message.
MSG=oowy2KGHbElZ_IFXuCA6B_jEmiVBBVbGkcdxe2Q1FW8odHRJ0a9UDxb9fktjE6Bd9U_aA9o3aZRFK3FcrMVgi5NFkkvFrmO7oH0Bk5Q_Bj0NH1IP9g8dDzOn39lIGdPgizfZY4e279tStTbwyo1vu71HI9MYFySMSzQ3k9Hbh6iGKbbszfozw6Fded8Jp2gRdbrz3Hg8d5KhMUuSQPrHS0rBpVTqjIuG97vl3Lr_pq9Jnjp21rHsDbF63L1IlrFcyRuVPEdaUkArO0KZoWIcFYu94LNrpbFIt__cN7DLn8YzPU_y_xGHtjYCewrhHI3qRr5cTWn4aUiDDOdhoiVqUQwftmIwzvmJNFk4mjFY7opFMhobSjr3m9sFjrb3DVDK4UPAuJy7IEnVd3E8sc9GlUbsiPsU5HxSbcChrRj_qfNaXjG16XjemEIJk5nsr_lrpNi07acTvFuPm6zHDT8b0SKTZjpBoD5AJUenxsQMNcAgUklXm5GSGQUfhDZruF6JkwedxMCQtRsxr6NDfKiRRVz5BY-IBNd1wb5Mx-Fjv6Fr-Zv6CIscmTkVQiZq9FUYBSqM-OjV4LaB-Tg6uXjDU-95OJSNHw7s8ogVDdcB5NTFiCuzbwpVDU-KSGEt34XfZtNbcZvj6G-hp-thDm0XG7KE4gDpSLB0iuW5mYLP50K5KVxPlneskRo_9tkYKclmulrhfUEsxaBvKUWH97zc2bzx7iqu4ZIsT5IQuGrHbwnFYm8crSFPtgEtQH0Jc95XWq21cUF1B1Yef1SFAcBukO8hY27qlROzUKtlCLjGgE1G1h8cPnQNPoYvQ1Gg6KaS7jxCkJ_vJ8Ptjzsz1oiBhFHG6mqMw1hVmj9VEkIHYIqak4SGBujv1FxquHqbyo67kl4UWgGEDczQtZoGY35dOZMNkLrikKKgRKYWUDabPw40ac_Z2PN0L6kFtWuhAti3A8fE6gogvNFkqP444Z7GPxBg4woOvNRNxuUIDVKF9Fm-18K4sWm83e7C_7IGLh2HLDguPl_WsH0EMdshCzz3PBjULFbpogj4nGArHSKAFfNYQFDXv1CVPwBD7_LnKBSGCETGw07cE6jJjoQMOtHeu-NrARLkIiiQUfUfRHzqfL-Q41P-Bn3vTvYQ7qObDQcX2Blf4YDFbUk_W6kf2IIrCu4Qj9cUrLMYeyFg2KGowlt_9LJJAnsoOWWvwJ5TKOwLSi0Z
aws sts decode-authorization-message --encoded-message $MSG --output text |python -m json.tool
{
....
},
"explicitDeny": true,
"failures": {
"items": []
},
"matchedStatements": {
"items": [
{
"actions": {
"items": [
{
"value": "rds:CreateDBInstance"
},
{
"value": "rds:Restore*"
},
{
"value": "cloud9:CreateEnvironmentEC2"
},
{
"value": "ec2:RunInstances"
},
{
"value": "ec2:StartInstances"
},
{
"value": "ec2:CreateLaunchTemplate"
},
{
"value": "ec2:CreateVolume"
},
{
"value": "autoscaling:CreateLaunchConfiguration"
},
{
"value": "sagemaker:CreateNotebookInstance"
},
{
"value": "sagemaker:UpdateNotebookInstance"
}
]
},
"conditions": {
"items": [
....
{
"key": "ec2:InstanceType",
"values": {
"items": [
{
"value": "t*.nano"
},
{
"value": "t*.micro"
},
{
"value": "t*.small"
},
{
"value": "t*.medium"
}
]
}
},
.....
]
}
}
]
},
....
]
}
}
(above output formatted and omitted sections not related to the deny message)
No comments:
Post a Comment