はじめに
初めてterraformを使用したときに、「Error: Error creating VPC: UnauthorizedOperation: You are not authorized to perform this operation.」というエラーがでました。
その解決方法をまとめます。
問題
terraform apply
をすると次のようなエラーがでました。
aws_eip.nat_1a: Creating...
aws_vpc.this: Creating...
╷
│ Error: Error creating VPC: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::hogehoge is not authorized to perform: ec2:CreateVpc on resource: arn:aws:ec2:ap-northeast-1:638060685095:vpc/* because no permissions boundary allows the ec2:CreateVpc action. Encoded authorization failure message: n5C30FiRgbfn3jgIex3lwaZW-HiwXKCCyXVxQTMQTTNk2MEaMFcGhUdD3uMBE9wK8_34tBqEJGVfqM67oJdtBhpe2H2BPy7NCh_6YZjHbKzbYzQIx6Y8GDVVLk0A25jfWxNALIlnNUXUFb8mWMoKKfkxFBNSRJ3TzIpUVH41ofd-mC0JvB5nmzHNsOQmlzWZQCNVNmL743rNWsOLA8GNouOx0DIv6HhFLf-R-ixyvXia1JGyzxclt0BBhj_3nad0J5u-4z4vdOFgfDlG37gs0djCkjCa1iIjnylwlN0cUMKXJ0tNLP37Ar1IlPKO1g4xFmVRTicgNID_pF_PEq37v2ihasYuKlwq7S9wsCFKxT5k80GYJWcqetDqJ6cgw1ncWYVKQAGk3OesjJ1gdJmU8ysTEu03DzyWrSBNSzpBRUgX4ZtXojvkkFKqWX0ffwGtybU16LD-wNiOwx1IWtB0ylNlotZD257cJQc8bMm9GiwcPnup0x1Htj_H1Wigor35LaH4-A
│ status code: 403, request id: 4ccf835f-5cde-47d5-82b4-8b6fa88a499f
│
│ with aws_vpc.this,
│ on aws_vpc.tf line 4, in resource "aws_vpc" "this":
│ 4: resource "aws_vpc" "this" {
│
╵
╷
│ Error: Error creating EIP: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::hogehoge is not authorized to perform: ec2:AllocateAddress on resource: arn:aws:ec2:ap-northeast-1:638060685095:elastic-ip/* because no permissions boundary allows the ec2:AllocateAddress action. Encoded authorization failure message: 9Zuoxt4D6JhWGRn3WSgwqRRGPsqQKZ2UzWR5R9HkBfAKNb0de88QM2RxPqoEFYOPp7lf-o-OpOiZxfiKP9d__Zt-SxDMBpf415bZAzIf5t33XEWGlJkQhpkyvzhOUSL-vYwNlppPUK0t2OETCyK9E4Tos4JBaTpFPT0Ypvj3oyOIMElDLtaA4nbHDS2t67L4d39RdzE4lSd6krxu7GN5ExUBNkxwudq7RS9aQmrE1yU4aqsS8XuS03RV6Hc_0kuUQ57LzM86SKgmKz8N06veGfi4ZyOnErsxCmAixrRKclNWneheOLrBspah_vVP_cMe0NV_SCEfwZUoUUE5Up-TU8VjAoe1IizOCX5Ph6CR0_vFuLgzuKmM9UdXOXnOwts0keEIAR-P8YlSfHTBY27jHqwVTonPrZ5iI1Rdx_5G9SS8Lgd32beLZiHRXHyd859HVYw16yRx_TCms8aaTFpL7QRcIzWs9rOXPTIp11avWKiYbWWA7P1WJmVkD4y4tn0DUaPsf-SZLA
│ status code: 403, request id: 06fcd413-1ca8-4b7a-bd8f-92962587bed0
│
│ with aws_eip.nat_1a,
│ on aws_vpc.tf line 78, in resource "aws_eip" "nat_1a":
│ 78: resource "aws_eip" "nat_1a" {
│
╵
解決方法
エラー分の最後の方に
Encoded authorization failure message: n5C30FiRgbfn3jgIex3lwaZW-HiwXKCCyXVxQTMQTTNk2MEaMFcGhUdD3uMBE9wK8_34tBqEJGVfqM67oJdtBhpe2H2BPy7NCh_6YZjHbKzbYzQIx6Y8GDVVLk0A25jfWxNALIlnNUXUFb8mWMoKKfkxFBNSRJ3TzIpUVH41ofd-mC0JvB5nmzHNsOQmlzWZQCNVNmL743rNWsOLA8GNouOx0DIv6HhFLf-R-ixyvXia1JGyzxclt0BBhj_3nad0J5u-4z4vdOFgfDlG37gs0djCkjCa1iIjnylwlN0cUMKXJ0tNLP37Ar1IlPKO1g4xFmVRTicgNID_pF_PEq37v2ihasYuKlwq7S9wsCFKxT5k80GYJWcqetDqJ6cgw1ncWYVKQAGk3OesjJ1gdJmU8ysTEu03DzyWrSBNSzpBRUgX4ZtXojvkkFKqWX0ffwGtybU16LD-wNiOwx1IWtB0ylNlotZD257cJQc8bMm9GiwcPnup0x1Htj_H1Wigor35LaH4-A
と、エンコードされたエラー詳細が出ていたので、デコードします。
$ aws sts decode-authorization-message --encoded-message "OU9m6-FcHaHTuKARncbX8lwBeclgwMyPG_LMKD0mx2h70w9nD3TMhqW-Jb01Td7ytDWBiTpyIw
af6TBiuEHJp7eXIwtZjnUarDLAMsuaATwy-4ICsTmjXGyLu4a9A8Esiys7MZbyVi_hk-1VqpkxrgbP-d_8ieTMBd_
onwmxiMlw0DLhNvItzybMcb8a-zECN3UUQLCKF4sdo0ji29t5QppVce_uUvf6V13iTyCqdBw_VNoidYK5V69_tDQj
egaCm8UYOuXr-6fwUb-KM6EfXmtpUHg50VSwdfN63C4sChcK3bPAilf9SXXVi51Xo4bQNLcRmPhVp4jHGkgCGNKSU
0HF3-lj_PvCpaPPtv0lK1qwOm0yX0sVER4TodyKtdKtSFix9c2lAIucZLvLNSu0ssYR_AkKejCNPsSRVz6_wYiFDb
QP4LBrhyk68a6_Q8VNtTpaUYa0_qcp8bN83H9F2l6kfFQv6aWviC432kZ4NcGWksfZ-ZUtNVB3fECAvmBtoaB2X2I
"
An error occurred (AccessDenied) when calling the DecodeAuthorizationMessage operation: User: arn:aws:iam::hogehoge is not authorized to perform: sts:DecodeAuthorizationMessage because no permissions boundary allows the sts:DecodeAuthorizationMessage action
iamにsts:DecodeAuthorizationMessageがないと出ていました。
IAM > ポリシー > ポリシーを作成 > JSONで「DecodeAuthorizationMessage」ポリシーを作成して、iamにアタッチします。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:DecodeAuthorizationMessage",
"Resource": "*"
}
]
}
これで、cliでデコードできるようになりました。
$ aws sts decode-authorization-message --encoded-message ENCODE_MESSAGE
{
"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"AIDAZJD3BM4TTNBTVWAZS\",\"name\":\"hori\",\"arn\":\"arn:aws:iam::638060685095:user/hori\"},\"action\":\"AllocateAddress\",\"resource\":\"arn:aws:ec2:ap-northeast-1:638060685095:elastic-ip/*\",\"conditions\":{\"items\":[{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"ap-northeast-1\"}]}},{\"key\":\"aws:ID\",\"values\":{\"items\":[{\"value\":\"*\"}]}},{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"elastic-ip/*\"}]}},{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"elastic-ip\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"638060685095\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:ap-northeast-1:638060685095:elastic-ip/*\"}]}}]}}}"
}
$ aws sts decode-authorization-message --encoded-message ENCODE_MESSAGE | jq .DecodedMessage --raw-output | jq .
{
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
....
または、AWS CloudShellでもデコードすることができます。
おわりに
terraform初心者がつまづきそうなところ。
コメント