Wondering how to fix EC2 UnauthorizedOperation error? We can help you.

Often Amazon EC2 users report to us that while trying to launch an Amazon Elastic Compute Cloud (Amazon EC2) instance they end up with this error.

Here at Bobcares, we often handle requests from our customers to fix similar errors as a part of our Server Management Services. Today we will see how our Support Engineers fix this for our customers.

How to fix EC2 “UnauthorizedOperation” Error 

Before going into the steps for fixing this error we will see what causes this error.

A typical error looks like the one given below:

Cause:

The “UnauthorizedOperation” error occurs when the user or role tries to perform the operation that doesn’t have permission to describe (or list) EC2 instances.

Steps to fix this error

Following are the steps that our Support Engineers follow to fix this error for our customers:

1. Firstly we need to verify that the AWS CLI is installed and configured on our machine using the following command:

$ aws --version

Note: We must ensure to use the most recent version of the AWS CLI.

2.  After that we can run the decode-authorization-message command as given below:

$ aws sts decode-authorization-message --encoded-message encoded-message

Note: Here we must replace the encoded-message with the exact encoded message we got in the error message.

3. Now the decoded message lists the required permissions that are missing from the IAM role or user policy.

Following is an example of an encoded message:

Launch Failed - You are not authorized to perform this operation. Encoded authorization failure message: 4GIOHlTkIaWHQD0Q0m6XSnuUMCm-abcdefghijklmn-abcdefghijklmn-abcdefghijklmn

Following is an example of a decoded message:

$ aws sts decode-authorization-message --encoded-message 4GIOHlTkIaWHQD0Q0m6XSnuUMCm-abcdefghijklmn-abcdefghijklmn-abcdefghijklmn

{
    "DecodedMessage": 
"{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"ABCDEFGHIJKLMNO\",\"name\":\"AWS-User\",
\"arn\":\"arn:aws:iam::accountID:user/test-user\"},\"action\":\"iam:PassRole\",
\"resource\":\"arn:aws:iam::accountID:role/EC2_instance_Profile_role\",\"conditions\":{\"items\":[{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"us-east-2\"}]}},
{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"role/EC2_instance_Profile_role\"}]}},
{\"key\":\"iam:RoleName\",\"values\":{\"items\":[{\"value\":\"EC2_instance_Profile_role\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"accountID\"}]}},
{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"role\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:iam::accountID:role/EC2_instance_Profile_role\"}]}}]}}}"
}

From the above message we can infer that the request failed to call RunInstances as AWS-User does not have permission to perform the iam:PassRole action on the arn:aws:iam::accountID:role/EC2_instance_Profile_role.

4.  Finally, we have to edit the IAM policy associated with the IAM role or user to add the missing permissions.

[Need assistance? We can help you]

Conclusion

In short, we saw how our Support Techs fix EC2 “UnauthorizedOperation” Error for our customers.