https://aws.amazon.com/premiumsupport/knowledge-center/ec2-not-auth-launch/
Resolution
1. Verify that the AWS CLI is installed and configured on your machine with the following command:
1 | $ aws --version |
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
2. Run the decode-authorization-message command. Replace encoded-message with the exact encoded message contained in the error message.
1 | $ aws sts decode-authorization-message --encoded-message encoded-message |
3. The decoded message lists the required permissions that are missing from the IAM role or user policy.
Example encoded message:
Launch Failed – You are not authorized to perform this operation. Encoded authorization failure message: 4GIOHlTkIaWHQD0Q0m6XSnuUMCm-abcdefghijklmn-abcdefghijklmn-abcdefghijklmn
Example decoded message:
1 | $ aws sts decode-authorization-message --encoded-message 4GIOHlTkIaWHQD0Q0m6XSnuUMCm-abcdefghijklmn-abcdefghijklmn-abcdefghijklmn |
1 2 3 4 5 6 7 8 9 | { "DecodedMessage": "{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"ABCDEFGHIJKLMNO","name":"AWS-User", "arn":"arn:aws:iam::accountID:user/test-user"},"action":"iam:PassRole", "resource":"arn:aws:iam::accountID:role/EC2_instance_Profile_role","conditions":{"items":[{"key":"aws:Region","values":{"items":[{"value":"us-east-2"}]}}, {"key":"aws:Service","values":{"items":[{"value":"ec2"}]}},{"key":"aws:Resource","values":{"items":[{"value":"role/EC2_instance_Profile_role"}]}}, {"key":"iam:RoleName","values":{"items":[{"value":"EC2_instance_Profile_role"}]}},{"key":"aws:Account","values":{"items":[{"value":"accountID"}]}}, {"key":"aws:Type","values":{"items":[{"value":"role"}]}},{"key":"aws:ARN","values":{"items":[{"value":"arn:aws:iam::accountID:role/EC2_instance_Profile_role"}]}}]}}}" } |