Last Updated: February 25, 2016
· estahn

Scalr - decode AWS error messages

I'm currently evaluating Scalr and received the following message after starting a scalr farm:

Cannot launch server on 'ec2' platform: AWS Error. Request RunInstances failed. You are not authorized to perform this operation. Encoded authorization failure message: OZX...KyuI

The IAM Policy was according to the documentation and the message itself doesn't share light on the actual issue.

If you have AWS CLI installed you can easily decode the attached authorization failure message:

aws sts decode-authorization-message --encoded-message "OZX...KyuI"

This will output something like:

    "DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"abcdefg\",\"name\":\"scalr\",\"arn\":\"arn:aws:iam::123456:user/scalr\"},\"action\":\"iam:PassRole\",\"resource\":\"arn:aws:iam::123456:role/foo-bar-ec2-role\",\"conditions\":{\"items\":[]}}}"

In this case "iam:PassRole" wasn't specified in the policy.