Error: Error creating VPC: UnauthorizedOperation: You are not authorized to perform this operation.

2024年2月23日

はじめに

初めてterraformを使用したときに、「Error: Error creating VPC: UnauthorizedOperation: You are not authorized to perform this operation.」というエラーがでました。

その解決方法をまとめます。

問題

terraform applyをすると次のようなエラーがでました。

aws_eip.nat_1a: Creating...
aws_vpc.this: Creating...
╷
│ Error: Error creating VPC: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::hogehoge is not authorized to perform: ec2:CreateVpc on resource: arn:aws:ec2:ap-northeast-1:638060685095:vpc/* because no permissions boundary allows the ec2:CreateVpc action. Encoded authorization failure message: n5C30FiRgbfn3jgIex3lwaZW-HiwXKCCyXVxQTMQTTNk2MEaMFcGhUdD3uMBE9wK8_34tBqEJGVfqM67oJdtBhpe2H2BPy7NCh_6YZjHbKzbYzQIx6Y8GDVVLk0A25jfWxNALIlnNUXUFb8mWMoKKfkxFBNSRJ3TzIpUVH41ofd-mC0JvB5nmzHNsOQmlzWZQCNVNmL743rNWsOLA8GNouOx0DIv6HhFLf-R-ixyvXia1JGyzxclt0BBhj_3nad0J5u-4z4vdOFgfDlG37gs0djCkjCa1iIjnylwlN0cUMKXJ0tNLP37Ar1IlPKO1g4xFmVRTicgNID_pF_PEq37v2ihasYuKlwq7S9wsCFKxT5k80GYJWcqetDqJ6cgw1ncWYVKQAGk3OesjJ1gdJmU8ysTEu03DzyWrSBNSzpBRUgX4ZtXojvkkFKqWX0ffwGtybU16LD-wNiOwx1IWtB0ylNlotZD257cJQc8bMm9GiwcPnup0x1Htj_H1Wigor35LaH4-A
│       status code: 403, request id: 4ccf835f-5cde-47d5-82b4-8b6fa88a499f
│ 
│   with aws_vpc.this,
│   on aws_vpc.tf line 4, in resource "aws_vpc" "this":
│    4: resource "aws_vpc" "this" {
│ 
╵
╷
│ Error: Error creating EIP: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::hogehoge is not authorized to perform: ec2:AllocateAddress on resource: arn:aws:ec2:ap-northeast-1:638060685095:elastic-ip/* because no permissions boundary allows the ec2:AllocateAddress action. Encoded authorization failure message: 9Zuoxt4D6JhWGRn3WSgwqRRGPsqQKZ2UzWR5R9HkBfAKNb0de88QM2RxPqoEFYOPp7lf-o-OpOiZxfiKP9d__Zt-SxDMBpf415bZAzIf5t33XEWGlJkQhpkyvzhOUSL-vYwNlppPUK0t2OETCyK9E4Tos4JBaTpFPT0Ypvj3oyOIMElDLtaA4nbHDS2t67L4d39RdzE4lSd6krxu7GN5ExUBNkxwudq7RS9aQmrE1yU4aqsS8XuS03RV6Hc_0kuUQ57LzM86SKgmKz8N06veGfi4ZyOnErsxCmAixrRKclNWneheOLrBspah_vVP_cMe0NV_SCEfwZUoUUE5Up-TU8VjAoe1IizOCX5Ph6CR0_vFuLgzuKmM9UdXOXnOwts0keEIAR-P8YlSfHTBY27jHqwVTonPrZ5iI1Rdx_5G9SS8Lgd32beLZiHRXHyd859HVYw16yRx_TCms8aaTFpL7QRcIzWs9rOXPTIp11avWKiYbWWA7P1WJmVkD4y4tn0DUaPsf-SZLA
│       status code: 403, request id: 06fcd413-1ca8-4b7a-bd8f-92962587bed0
│ 
│   with aws_eip.nat_1a,
│   on aws_vpc.tf line 78, in resource "aws_eip" "nat_1a":
│   78: resource "aws_eip" "nat_1a" {
│ 
╵

解決方法

エラー分の最後の方に

Encoded authorization failure message: n5C30FiRgbfn3jgIex3lwaZW-HiwXKCCyXVxQTMQTTNk2MEaMFcGhUdD3uMBE9wK8_34tBqEJGVfqM67oJdtBhpe2H2BPy7NCh_6YZjHbKzbYzQIx6Y8GDVVLk0A25jfWxNALIlnNUXUFb8mWMoKKfkxFBNSRJ3TzIpUVH41ofd-mC0JvB5nmzHNsOQmlzWZQCNVNmL743rNWsOLA8GNouOx0DIv6HhFLf-R-ixyvXia1JGyzxclt0BBhj_3nad0J5u-4z4vdOFgfDlG37gs0djCkjCa1iIjnylwlN0cUMKXJ0tNLP37Ar1IlPKO1g4xFmVRTicgNID_pF_PEq37v2ihasYuKlwq7S9wsCFKxT5k80GYJWcqetDqJ6cgw1ncWYVKQAGk3OesjJ1gdJmU8ysTEu03DzyWrSBNSzpBRUgX4ZtXojvkkFKqWX0ffwGtybU16LD-wNiOwx1IWtB0ylNlotZD257cJQc8bMm9GiwcPnup0x1Htj_H1Wigor35LaH4-A

と、エンコードされたエラー詳細が出ていたので、デコードします。

$ aws sts decode-authorization-message --encoded-message "OU9m6-FcHaHTuKARncbX8lwBeclgwMyPG_LMKD0mx2h70w9nD3TMhqW-Jb01Td7ytDWBiTpyIw
af6TBiuEHJp7eXIwtZjnUarDLAMsuaATwy-4ICsTmjXGyLu4a9A8Esiys7MZbyVi_hk-1VqpkxrgbP-d_8ieTMBd_
onwmxiMlw0DLhNvItzybMcb8a-zECN3UUQLCKF4sdo0ji29t5QppVce_uUvf6V13iTyCqdBw_VNoidYK5V69_tDQj
egaCm8UYOuXr-6fwUb-KM6EfXmtpUHg50VSwdfN63C4sChcK3bPAilf9SXXVi51Xo4bQNLcRmPhVp4jHGkgCGNKSU
0HF3-lj_PvCpaPPtv0lK1qwOm0yX0sVER4TodyKtdKtSFix9c2lAIucZLvLNSu0ssYR_AkKejCNPsSRVz6_wYiFDb
QP4LBrhyk68a6_Q8VNtTpaUYa0_qcp8bN83H9F2l6kfFQv6aWviC432kZ4NcGWksfZ-ZUtNVB3fECAvmBtoaB2X2I
"

An error occurred (AccessDenied) when calling the DecodeAuthorizationMessage operation: User: arn:aws:iam::hogehoge is not authorized to perform: sts:DecodeAuthorizationMessage because no permissions boundary allows the sts:DecodeAuthorizationMessage action

iamにsts:DecodeAuthorizationMessageがないと出ていました。

IAM > ポリシー > ポリシーを作成 > JSONで「DecodeAuthorizationMessage」ポリシーを作成して、iamにアタッチします。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:DecodeAuthorizationMessage",
            "Resource": "*"
        }
    ]
}

これで、cliでデコードできるようになりました。

$ aws sts decode-authorization-message --encoded-message ENCODE_MESSAGE
{
    "DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"AIDAZJD3BM4TTNBTVWAZS\",\"name\":\"hori\",\"arn\":\"arn:aws:iam::638060685095:user/hori\"},\"action\":\"AllocateAddress\",\"resource\":\"arn:aws:ec2:ap-northeast-1:638060685095:elastic-ip/*\",\"conditions\":{\"items\":[{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"ap-northeast-1\"}]}},{\"key\":\"aws:ID\",\"values\":{\"items\":[{\"value\":\"*\"}]}},{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"elastic-ip/*\"}]}},{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"elastic-ip\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"638060685095\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:ap-northeast-1:638060685095:elastic-ip/*\"}]}}]}}}"
}

$ aws sts decode-authorization-message --encoded-message ENCODE_MESSAGE | jq .DecodedMessage --raw-output | jq .
{
  "allowed": false,
  "explicitDeny": false,
  "matchedStatements": {
    "items": []
  },
  "failures": {
    "items": []
  },
  "context": {
  ....

または、AWS CloudShellでもデコードすることができます。