Bobcares

Encoded Authorization Failure Message in EC2 – How to fix it?

by | Sep 8, 2021

Stuck with Encoded Authorization Failure Message in EC2? We can help you.

Generally, this error occurs when we run the restore job using the default IAM role on AWS Backup and the original EC2 instance has an instance profile attached to it.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how we can troubleshoot this.

Encoded Authorization Failure Message in EC2

Recently, a customer who used AWS Backup to restore an Amazon EC2 instance from a snapshot approached us.

He received an encoded error message that says:

“You are not authorized to perform this operation. Please consult the permissions associated with your AWS Backup role(s), and refer to the AWS Backup documentation for more details.”

To decode the failure messages, we can use the AWS Security Token Service.

Then, we verify if the AWS IAM role that ran the restore job has sufficient permissions.

1. Initially, we run the decode-authorization-message command using the AWS CLI.

In case we have a Linux-based operating system, then we combine this command with the jq tool to get a viewer-friendly output:

# aws sts decode-authorization-message --encoded-message (encoded error message) --query DecodedMessage --output text | jq '.'

However, we need to make sure that we use the most recent version of the AWS CLI.

2. The above command will give an output similar to the following:

{
"allowed": false,

…..

"context": {
"principal": {
"id": "AROAAAAAAAAAA:AWSBackup-AWSBackupDefaultServiceRole",
"arn": "arn:aws:sts::111122223333:assumed-role/AWSBackupDefaultServiceRole/AWSBackup-AWSBackupDefaultServiceRole"
},
"action": "iam:PassRole",
"resource": "arn:aws:iam::111122223333:role/AmazonSSMRoleForInstancesQuickSetup",
"conditions": {
"items": [

…..

}

Here, we can see that it uses the default IAM role, AWSBackupDefaultServiceRole.

This role must have permission to iam:PassRole so that it can interact with AmazonSSMRoleForInstancesQuickSetup, to restore the instance.

3. We add the following policy to the IAM role that we use to perform the restore job:

Note: Replace 111122223333 with your AWS account ID.

{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/*",
"Effect": "Allow"
}
]
}

Once done, we re-run the restore job.

[Need help with the fix? We’d be happy to assist you]

Conclusion

In short, we saw how our Support Techs fix the Encoded Authorization Failure Message in EC2

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.