ec2 filter by tag permission denied

Question

I'm trying to get a list of instances from EC2. If I apply a filter to get only running instances, i.e. the request is:

POST https://ec2.us-west-2.amazonaws.com/ec2?Action=DescribeInstances&Filter.1.Name=instance-state-name&Filter.1.Value.1=running&Version=2015-10-01

then I get a reply, as expected:

Received response: 200 - OK, Latency: 235441, Server: AmazonEC2, Date: Thu, 14 Jan 2016 13:08:45 GMT, Vary: Accept-Encoding, Transfer-Encoding: chunked, Content-Type: text/xml;charset=UTF-8, <?xml version="1.0" encoding="UTF-8"?>
<DescribeInstancesResponse xmlns="http://ec2.amazonaws.com/doc/2015-10-01/">...

However, if I apply a filter to get only instances tagged as MY_frontend, i.e. the request is:

POST https://ec2.us-west-2.amazonaws.com/ec2?Action=DescribeInstances&Filter.1.Name=tag:Name&Filter.1.Value.1=MY_frontend&Version=2015-10-01

then I get an error reply:

Received response: 401 - Unauthorized, Latency: 127257, Server: AmazonEC2, Date: Thu, 14 Jan 2016 13:09:32 GMT, Transfer-Encoding: chunked, <?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>e61a2f44-0397-40ea-8832-45879d36dacd</RequestID></Response>

What is really confusing is that the (apparently) same request with the AWS CLI tool succeeds:

aws ec2 describe-instances --filter Name=instance-state-name,Values=running Name=tag:Name,Values=MY_frontend

Both my tool and the AWS CLI are using the same role-based credentials.

What could cause this?

Answer 1

And the answer is...

':' is a reserved character and needs to be url-escaped. This is what the AWS CLI sends (in the body of the POST rather than the URL)

Filter.1.Name=instance-state-name&Filter.2.Value.1=MY_frontend&Filter.2.Name=tag%3AName&Version=2015-04-15&Action=DescribeInstances&Filter.1.Value.1=running

I wish the error was something more suggestive and not "Unauthorized".