概要
Terraform実行時に以下のようにエラーメッセージがエンコードされた状態で表示される場合があり、解読のためにはデコードする必要がある
Error: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: 4GIOHlTkIaWHQD0Q0m6XSnuUMCm-abcdefghijklmn-abcdefghijklmn-abcdefghijklmn.......
デコード
aws sts decode-authorization-messageコマンドを使用する
なお使用するためには、sts:DecodeAuthorizationMessage権限が必要となる
$ aws sts decode-authorization-message --encoded-message 4GIOHlTkIaWHQD0Q0m6XSnuUMCm-abcdefghijklmn-abcdefghijklmn-abcdefghijklmn
{
"DecodedMessage":
"{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"ABCDEFGHIJKLMNO\",\"name\":\"AWS-User\",
\"arn\":\"arn:aws:iam::accountID:user/test-user\"},\"action\":\"iam:PassRole\",
\"resource\":\"arn:aws:iam::accountID:role/EC2_instance_Profile_role\",\"conditions\":{\"items\":[{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"us-east-2\"}]}},
{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"role/EC2_instance_Profile_role\"}]}},
{\"key\":\"iam:RoleName\",\"values\":{\"items\":[{\"value\":\"EC2_instance_Profile_role\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"accountID\"}]}},
{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"role\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:iam::accountID:role/EC2_instance_Profile_role\"}]}}]}}}"
}
そのままだと読みにくいのでjqで加工する
$ aws sts decode-authorization-message --encoded-message 4GIOHlTkIaWHQD0Q0m6XSnuUMCm-abcdefghijklmn-abcdefghijklmn-abcdefghijklmn \
|jq -r '.DecodedMessage' \
|jq
{
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "ABCDEFGHIJKLMNO",
"name": "AWS-User",
"arn": "arn:aws:iam::accountID:user/test-user"
},
"action": "iam:PassRole",
"resource": "arn:aws:iam::accountID:role/EC2_instance_Profile_role",
"conditions": {
"items": [
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "us-east-2"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "role/EC2_instance_Profile_role"
}
]
}
},
{
"key": "iam:RoleName",
"values": {
"items": [
{
"value": "EC2_instance_Profile_role"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "accountID"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "role"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:iam::accountID:role/EC2_instance_Profile_role"
}
]
}
}
]
}
}
}
不足している権限だけを表示する
$ aws sts decode-authorization-message --encoded-message 4GIOHlTkIaWHQD0Q0m6XSnuUMCm-abcdefghijklmn-abcdefghijklmn-abcdefghijklmn \
|jq -r '.DecodedMessage' \
|jq -c '.context.action'
"iam:PassRole"