Error Message
You are not authorized to perform this operation. Please consult the permissions associated with your AWS Backup role(s), and refer to the AWS Backup documentation for more details. Encoded authorization failure message: <omitted>
Decode using aws sts decode-authorization-message --encoded-message <error message>.
Decoded Message
{
"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"AROAR23YLZYEOUMEHOE2O:AWSBackup-AWSBackupROLEEC2\",\"arn\":\"arn:aws:sts::xxxxxxxxxxxxx:assumed-role/AWSBackupROLEEC2/AWSBackup-AWSBackupROLEEC2\"},\"action\":\"iam:PassRole\",\"resource\":\"arn:aws:iam::xxxxxxxxxxxxx:role/IAM_ROLE_EC2_Access\",\"conditions\":{\"items\":[{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"ap-northeast-1\"}]}},{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"role/IAM_ROLE_EC2_Access\"}]}},{\"key\":\"iam:RoleName\",\"values\":{\"items\":[{\"value\":\"IAM_ROLE_EC2_Access\"}]}},{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"role\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"xxxxxxxxxxxxx\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:iam::xxxxxxxxxxxxx:role/IAM_ROLE_EC2_Access\"}]}}]}}}"
}
An error appears to be occurring related to iam:PassRole.
As described in the articles below, an additional policy needs to be attached.
- Troubleshooting Encoded Authorization Failure Messages When Restoring an Amazon EC2 Instance Using AWS Backup
- How to Fix Errors When Restoring from AWS Backup While EC2 Can Be Restored from AMI | DevelopersIO
When examining the target EC2, an IAM role was attached. In this case, when restoring, a new IAM role needs to be attached. Therefore, when restoring from AWS Backup, the “AWS Backup role” needs to be granted “PassRole permission for the role to be attached to EC2” as follows.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/*",
"Effect": "Allow"
}
]
}