Reputation:
User: x is not authorized to perform: (sts:DecodeAuthorizationMessage)`
I am facing an issue while trying to provision my EC2 instance through Terraform. However, to debug that issue I am trying to decode the encoded authorization failure message.
But when trying to call that sts decode API I am getting:
Error: A client error (AccessDenied) occurred when calling the DecodeAuthorizationMessage operation: User: xxx is not authorized to perform: (sts:DecodeAuthorizationMessage)
Now I don't know which specific permission should I give to my IAM user to be able to decode this message?
Updates:
Upvotes: 9
Views: 6686
Answers (1)
Reputation: 238249
Based on the error message quotued, it seems that sts:DecodeAuthorizationMessage permissions are required:
Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.
Subsequently you could add the following policy as an inline policy, for example, into your IAM user or its group:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStsDecode",
"Effect": "Allow",
"Action": "sts:DecodeAuthorizationMessage",
"Resource": "*"
}
]
}
The same could be added through Customer Managed Policy if inline policies are not desired.
Upvotes: 15
Related Questions
- Not authorized to perform: sts:TagSession on resource: ***
- AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
- AWS group user not allowed to assume role - access denied
- AWS StsClient: User not authorized to perform: sts:AssumeRole on resource
- AWS cli: not authorized to perform: sts:AssumeRole on resource
- AWS AssumeRole - User is not authorized to perform: sts:AssumeRole on resource
- AWS AccessDenied when calling sts:AssumeRole
- AWS STS Assume Role - InvalidClientTokenId: The security token included in the request is invalid
- Not authorized to perform: sts:AssumeRole on resource
- (Using CLI) AWS was not able to validate the provided access credentials