How do I troubleshoot the encoded authorization failure message when I try to restore an Amazon EC2 instance using AWS Backup?

Last updated: 2020-03-27

I'm using AWS Backup to restore an Amazon Elastic Compute Cloud (Amazon EC2) instance from a snapshot. However, I get an encoded error message that says "You are not authorized to perform this operation. Please consult the permissions associated with your AWS Backup role(s), and refer to the AWS Backup documentation for more details." How can I troubleshoot this?

Resolution

Use AWS Security Token Service (AWS STS) to decode the failure message. Then, verify that the AWS Identity and Access Management (IAM) role that ran the restore job has sufficient permissions.

Note: This error typically occurs when you run the restore job using the default IAM role on AWS Backup and the original EC2 instance has an instance profile attached to it.

1.    Run the decode-authorization-message command using the AWS Command Line Interface (AWS CLI):

Note: If you're using a Linux-based operating system, then you can combine this command with the jq tool to get a viewer-friendly output:

# aws sts decode-authorization-message --encoded-message (encoded error message) --query DecodedMessage --output text | jq '.'

2.    The command returns output similar to the following:

{
  "allowed": false,

…..

  "context": {
    "principal": {
      "id": "AROAAAAAAAAAA:AWSBackup-AWSBackupDefaultServiceRole",
      "arn": "arn:aws:sts::111122223333:assumed-role/AWSBackupDefaultServiceRole/AWSBackup-AWSBackupDefaultServiceRole"
    },
    "action": "iam:PassRole",
    "resource": "arn:aws:iam::111122223333:role/AmazonSSMRoleForInstancesQuickSetup",
    "conditions": {
      "items": [

…..      

}

The example output shows that the default IAM role named AWSBackupDefaultServiceRole was used to run the restore job. This role must have permission to iam:PassRole so that it can interact with AmazonSSMRoleForInstancesQuickSetup, which is required to restore the instance.

3.    Add the following policy to the IAM role that you use to perform the restore job:

Note: Replace 111122223333 with your AWS account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::111122223333:role/*",
            "Effect": "Allow"
        }
    ]
}

After you update the IAM role, re-run the restore job.


Access Control (AWS Backup Developer Guide)

Did this article help you?

Anything we could improve?


Need more help?