Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.
以下代码示例演示如何使用DecodeAuthorizationMessage。 AWS CLI 解码为响应请求而返回的编码授权消息 以下decode-authorization-message示例从为响应 Amazon Web Services 请求而返回的编码消息中解码有关请求授权状态的其他信息。 aws sts decode-authorization-message \ --encoded-messageEXAMPLEWodyRNrtlQARDip-eTA6i6...
有时遇到一些权限上的错误,控制台上或者 cli 会报出如下的错误,后面还跟了很长的编码后的字符串,这个的意思是权限错误的具体信息被加密了,想要得到原信息必须用报出这个错的账号去执行 decode-authorization-message 这个命令去解密。注意:执行这个命令也需要单独的权限,请先确保你有sts服务下的这个权限,再去执行解...
要对错误消息进行解码并获得授权失败的详细信息,请参阅 DecodeAuthorizationMessage。在对错误消息进行解码之后,请确定 API 调用方并查看资源级权限和条件。 查看IAM 策略权限: 如果错误消息指示 API 被明确拒绝,请从匹配的语句中删除 ec2:AssociateIamInstanceProfile 或 iam:PassRole API 操作。 请确认 ec2:AssociateIa...
DecodeAuthorizationMessage", "ec2:DescribeImages", "ec2:DescribeRouteTables", "ec2:DescribeInstances", "iam:PassRole", "ec2:DescribeInstanceStatus", "ec2:RunInstances", "ec2:ModifyInstanceAttribute", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DescribeVolumes", "ec2:DeleteVolume", "ec2:Create...
DecodeAuthorizationMessage: decode error message when an AWS API is denied AssumeRoleWithSAML: return credentials for users logged with SAML GetRederationToken: obtaini temporary creds for a federated user GetCallerIdentity: return details about the IAM user or role userd in the API called ...
aws sts decode-authorization-message --encoded-message <ENCODED MESSAGE> The decoded message (that I have omitted for brevity) tells me that there was an explicit deny to my request and includes the full SCP that caused the deny. This information is really useful for ...
DecodeAuthorizationMessage: Decode error message when an AWS API is denied Process to Assume a Role Define an IAM Role within your account or cross-account Define which princiapls can access this IAM Role Use AWS STS (Security Token Service) to retrieve credentials and impersonate the IAM Role...
aws sts decode-authorization-message --encoded-message ~~ 解析错误内容 AWS EC2实例元数据 •AWS EC2实例元数据功能强大,但却是鲜为人知的功能之一给开发者 •它允许AWS EC2实例“了解自己”,而无需使用IAM Role就是为了这个目的。 •网址是http://169.254.169.254/latest/meta-data ...
[ "ecr:GetRepositoryPolicy", "iam:Get*", "iam:List*", "iam:SimulateCustomPolicy", "kms:GetKeyPolicy", "lambda:GetPolicy", "organizations:List*", "organizations:Describe*", "s3:GetBucketPolicy", "secretsmanager:GetResourcePolicy", "sts:DecodeAuthorizationMessage" ], "Resource": "*" } ...