AWS – UnauthorizedOperation error, usually we see when we try to access the AWS resources using the User, who has read-only permissions.
Lets’ try to reproduce the Error. I have explained, in my previous article, “AWS : Identity and Access Management (IAM) – Add User“, Creating a User. In that article, we have created a user with read-only permissions.
Lets’ try to stop or start the AWS EC2 Instance, by entering the below command at AWS CLI:
C:\>aws ec2 stop-instances --instance-id "i-xxxxxxxxxxxxxx" An error occurred (UnauthorizedOperation) when calling the StopInstances operation: You are not authorized to perform this operation. Encoded authorization failure message: swKEY-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
See that, AWS was thrown an Error; to attempt to access AWS resources without proper permissions.
Then how to fix this issue? It’s simple. We need to access the AWS resources using the User who has access to modify the AWS resources. The current User, what we have; doesn’t have the permissions. So, we will create a new User with some extra permissions to control AWS resources.
Create User with Full Access to AWS EC2 Resources
Before you continue to read this; I recommend you to read my previous Article “AWS : Identity and Access Management (IAM) – Add User“.
While creating a group & selecting the policies; select the “AmazonEC2FullAccess” policy; to allow the user to get full access to EC2 Instances.
Once the User is created; ensure to note down the “Access Key ID” and “Secret access key” details; to access the AWS resources. If you miss to note down these details; at this stage, you can’t get “Secret access key” details at; later time. I recommend you download & store these details in a secure place. As the user has Full Access to EC2; you need to be more cautious to secure these key details; to avoid, unauthorized access to your EC2 Instances.
Add Profile to AWS Configuration
You must read the Article “AWS CLI : AWS Configuration and Connect to EC2 Instance“, before you continue to add a new User to AWS Configuration. We have already set up the AWS Configuration, in the above-mentioned Article.
Now we need to add the new user details into the already existing AWS Configuration. Below is the command, to add a new user (profile) to AWS Configuration: Observe that, we used the “–profile” parameter to add the User to AWS Configuration.
C:\>aws configure --profile david2 AWS Access Key ID [None]: xxxxxxxxxxxxxx AWS Secret Access Key [None]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Default region name [None]: us-east-2 Default output format [None]: text
Stop EC2 Instances from AWS CLI – To verify the “AWS – UnauthorizedOperation” error
How do we start this Article.? We have started this, to fix the “UnauthorizedOperation” issue; which we have seen, while stopping the EC2 Instances.
As we discussed, at the beginning of this Article; this issue is, because the user has read-only access to AWS resources. To fix this, we have created a User with “AmazonEC2FullAccess”.
Now we will verify with the new User, whether we can stop the EC2 Instances. Below is the command useful to stop the EC2 Instances:
Observer that, “–profile” is the parameter, we use to connect & use AWS resources with the specific user; in this case, we use a new user to connect.
C:\>aws ec2 stop-instances --instance-id "i-xxxxxxxxx" --profile david2 STOPPINGINSTANCES i-xxxxxxxxxxxx CURRENTSTATE 64 stopping PREVIOUSSTATE 16 running
After running the above command, the result showing the given EC2 Instance is “stopping“. Lets’ check this by logging into AWS Management Console.
Open the EC2 Dashboard, and observe that the EC2 Instances were “stopped“.
I have explained, this fix is only to access EC2 resources. You can follow similar steps to fix the issues while accessing other AWS resources.
I hope you liked this article. Please send your feedback through the below Comments.
[..] David
You can decode the message using AWS CLI
aws sts decode-authorization-message –encoded-message | jq ‘.DecodedMessage|fromjson’ |jq
And that’s how entire organizations are owned and have their data stolen. Specific EC2 policies exist for a reason. Please, be mindful when setting permissions.
Well said Bob. Exactly what I thought.