Why am I receiving the error message "You are not authorized to perform this operation" when I try to launch an EC2 instance?

Last updated: 2020-03-30

When trying to launch an Amazon Elastic Compute Cloud (Amazon EC2) instance, I'm receiving the error "An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. Encoded authorization failure message encoded-message". How do I resolve this? 

Short Description

The "UnauthorizedOperation" error indicates that permissions attached to the AWS Identity and Access Management (IAM) role or user trying to perform the operation does not have the required permissions to launch EC2 instances. Because the error involves an encoded message, use the AWS Command Line Interface (AWS CLI) to decode the message. This decoding provides more details regarding the authorization failure.

Prerequisite

The IAM user or role attempting to decode the encoded message must be granted permission to the DecodeAuthorizationMesssage (sts:DecodeAuthorizationMessage) action via an IAM policy. If the user or role doesn't have this permission, the decode action fails and the following error message appears:

"Error: A client error (AccessDenied) occurred when calling the DecodeAuthorizationMessage operation: User: xxx is not authorized to perform: (sts:DecodeAuthorizationMessage) action".

For more information on the DecodeAuthorizationMessage action, see DecodeAuthorizationMessage.

Resolution

1.    Verify that the AWS CLI is installed and configured on your machine by running the following command.

$ aws --version

2.    Run the decode-authorization-message command. Replace encoded-message with the exact encoded message contained in the error message.

$ aws sts decode-authorization-message --encoded-message encoded-message

3.    The decoded message lists the required permissions that are missing from the IAM role or user policy.

The following is an example of an encoded message.

Launch Failed - You are not authorized to perform this operation. Encoded authorization failure message: 4GIOHlTkIaWHQD0Q0m6XSnuUMCm-abcdefghijklmn-abcdefghijklmn-abcdefghijklmn

The following is an example of a decoded message.

$ aws sts decode-authorization-message --encoded-message 4GIOHlTkIaWHQD0Q0m6XSnuUMCm-abcdefghijklmn-abcdefghijklmn-abcdefghijklmn

{
    "DecodedMessage": 
"{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"ABCDEFGHIJKLMNO\",\"name\":\"AWS-User\",
\"arn\":\"arn:aws:iam::accountID:user/test-user\"},\"action\":\"iam:PassRole\",
\"resource\":\"arn:aws:iam::accountID:role/EC2_instance_Profile_role\",\"conditions\":{\"items\":[{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"us-east-2\"}]}},
{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"role/EC2_instance_Profile_role\"}]}},
{\"key\":\"iam:RoleName\",\"values\":{\"items\":[{\"value\":\"EC2_instance_Profile_role\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"accountID\"}]}},
{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"role\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:iam::accountID:role/EC2_instance_Profile_role\"}]}}]}}}"
}

The preceding error message indicates that the request failed to call RunInstances because AWS-User didn't have permission to perform the iam:PassRole action on the arn:aws:iam::accountID:role/EC2_instance_Profile_role.

4.    Edit the IAM policy associated with the IAM role or user to add the missing permissions.


Did this article help you?

Anything we could improve?


Need more help?