Decode AWS Console Error Message

https://aws.amazon.com/premiumsupport/knowledge-center/ec2-not-auth-launch/

Resolution
1. Verify that the AWS CLI is installed and configured on your machine with the following command:

$ aws --version

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

2. Run the decode-authorization-message command. Replace encoded-message with the exact encoded message contained in the error message.

$ aws sts decode-authorization-message --encoded-message encoded-message

3. The decoded message lists the required permissions that are missing from the IAM role or user policy.

Example encoded message:

Launch Failed – You are not authorized to perform this operation. Encoded authorization failure message: 4GIOHlTkIaWHQD0Q0m6XSnuUMCm-abcdefghijklmn-abcdefghijklmn-abcdefghijklmn
Example decoded message:

$ aws sts decode-authorization-message --encoded-message 4GIOHlTkIaWHQD0Q0m6XSnuUMCm-abcdefghijklmn-abcdefghijklmn-abcdefghijklmn
{
    "DecodedMessage":
"{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"ABCDEFGHIJKLMNO","name":"AWS-User",
"arn":"arn:aws:iam::accountID:user/test-user"},"action":"iam:PassRole",
"resource":"arn:aws:iam::accountID:role/EC2_instance_Profile_role","conditions":{"items":[{"key":"aws:Region","values":{"items":[{"value":"us-east-2"}]}},
{"key":"aws:Service","values":{"items":[{"value":"ec2"}]}},{"key":"aws:Resource","values":{"items":[{"value":"role/EC2_instance_Profile_role"}]}},
{"key":"iam:RoleName","values":{"items":[{"value":"EC2_instance_Profile_role"}]}},{"key":"aws:Account","values":{"items":[{"value":"accountID"}]}},
{"key":"aws:Type","values":{"items":[{"value":"role"}]}},{"key":"aws:ARN","values":{"items":[{"value":"arn:aws:iam::accountID:role/EC2_instance_Profile_role"}]}}]}}}"
}