1
00:00:00,330 --> 00:00:01,960
‫So when you run API calls

2
00:00:01,960 --> 00:00:04,430
‫and they fail like we just did in the previous lecture

3
00:00:04,430 --> 00:00:07,360
‫we can get a long error message that doesn't mean much,

4
00:00:07,360 --> 00:00:09,420
‫and we want to be able to decode it.

5
00:00:09,420 --> 00:00:11,740
‫And for this, it's a very popular question

6
00:00:11,740 --> 00:00:14,660
‫as well on the exam, you need the STS command line.

7
00:00:14,660 --> 00:00:18,550
‫So you have to run this sts decode-authorization-message

8
00:00:18,550 --> 00:00:20,400
‫to decode the messages.

9
00:00:20,400 --> 00:00:22,750
‫There is no better way to practice this concept,

10
00:00:22,750 --> 00:00:24,520
‫so let's have a look how this works.

11
00:00:24,520 --> 00:00:26,900
‫As you remember, when we did the EC2

12
00:00:26,900 --> 00:00:29,750
‫run-instances dry-run, we got this,

13
00:00:29,750 --> 00:00:31,650
‫you are not authorized to perform this operation,

14
00:00:31,650 --> 00:00:35,510
‫and then it gave us this entire message

15
00:00:35,510 --> 00:00:37,240
‫as an authorization failure.

16
00:00:37,240 --> 00:00:38,550
‫Now we want to decode it.

17
00:00:38,550 --> 00:00:40,140
‫So for this, I'll just go in Google

18
00:00:40,140 --> 00:00:44,300
‫and type AWS sts decode-authorization-message.

19
00:00:44,300 --> 00:00:46,550
‫Click on it, and basically it says

20
00:00:46,550 --> 00:00:48,330
‫we can decode additional information

21
00:00:48,330 --> 00:00:50,980
‫about the authorization status of the request.

22
00:00:50,980 --> 00:00:53,740
‫So the way to use it is to just run

23
00:00:53,740 --> 00:00:55,520
‫decode-authorization-message, and then

24
00:00:55,520 --> 00:00:58,290
‫we pass a flag called encoded-message,

25
00:00:58,290 --> 00:01:00,360
‫and the value of the message.

26
00:01:00,360 --> 00:01:02,730
‫So now let's have a look how this works.

27
00:01:02,730 --> 00:01:07,730
‫We'll do aws sts decode-authorization-message.

28
00:01:11,400 --> 00:01:13,363
‫And I need to make sure I get this right.

29
00:01:14,560 --> 00:01:17,220
‫We have passed the encoded-message and the values.

30
00:01:17,220 --> 00:01:21,920
‫So encoded-message, and we'll pass this entire message,

31
00:01:21,920 --> 00:01:26,420
‫all the way from here, from the vb to the 1k.

32
00:01:26,420 --> 00:01:29,460
‫I'll paste it and press enter.

33
00:01:29,460 --> 00:01:31,530
‫And now we get, obviously, maybe you

34
00:01:31,530 --> 00:01:33,490
‫predicted it, an access denied.

35
00:01:33,490 --> 00:01:37,500
‫It's because our IAM use role is not authorized

36
00:01:37,500 --> 00:01:40,420
‫to perform this operation, the STS.

37
00:01:40,420 --> 00:01:42,990
‫So basically any time you run an AWS API call,

38
00:01:42,990 --> 00:01:44,660
‫you have to authorize yourself.

39
00:01:44,660 --> 00:01:47,440
‫So we could run this straight from our computer

40
00:01:47,440 --> 00:01:49,160
‫and it will work, but just for the fun

41
00:01:49,160 --> 00:01:52,120
‫and practicing, I will authorize my EC2 instance

42
00:01:52,120 --> 00:01:53,430
‫to run this command.

43
00:01:53,430 --> 00:01:54,610
‫So let's have a look.

44
00:01:54,610 --> 00:01:57,180
‫We go back to the IAM management console

45
00:01:57,180 --> 00:01:59,000
‫and we'll edit the policy.

46
00:01:59,000 --> 00:02:01,300
‫We'll add an additional permission.

47
00:02:01,300 --> 00:02:04,460
‫For the service, we'll choose STS

48
00:02:04,460 --> 00:02:07,090
‫and then we'll basically authorize

49
00:02:07,090 --> 00:02:09,040
‫a read or a write operation.

50
00:02:09,040 --> 00:02:11,020
‫It is actually a write operation.

51
00:02:11,020 --> 00:02:14,630
‫We'll authorize a decode authorization message.

52
00:02:14,630 --> 00:02:16,430
‫We don't need to choose resources,

53
00:02:16,430 --> 00:02:18,680
‫and we don't need to specify conditions.

54
00:02:18,680 --> 00:02:20,770
‫We'll review the policy, and now we have

55
00:02:20,770 --> 00:02:23,703
‫an STS permission, we'll save the changes.

56
00:02:25,830 --> 00:02:28,270
‫And once this is done, our EC2 instance

57
00:02:28,270 --> 00:02:30,130
‫should have a statement right here,

58
00:02:30,130 --> 00:02:32,760
‫allow, saying you're allowed to decode

59
00:02:32,760 --> 00:02:35,120
‫authorization messages.

60
00:02:35,120 --> 00:02:36,080
‫That sounds about right.

61
00:02:36,080 --> 00:02:37,930
‫Now let's give it a try.

62
00:02:37,930 --> 00:02:41,710
‫So I'll run the exact same command right here

63
00:02:41,710 --> 00:02:45,310
‫and, as you can see now, we get a decoded message.

64
00:02:45,310 --> 00:02:47,310
‫Now, this message, I have to admit,

65
00:02:47,310 --> 00:02:49,400
‫isn't extremely helpful right now.

66
00:02:49,400 --> 00:02:51,810
‫But if you were running an API call

67
00:02:51,810 --> 00:02:55,270
‫that had, you know, some very interesting information,

68
00:02:55,270 --> 00:02:58,060
‫then you would get it from the sts decode message.

69
00:02:58,060 --> 00:03:00,790
‫You can always use to echo this,

70
00:03:00,790 --> 00:03:03,520
‫so let's just echo this to see how it works.

71
00:03:03,520 --> 00:03:04,620
‫We'll echo, and now we get

72
00:03:04,620 --> 00:03:07,370
‫a slightly better format of it.

73
00:03:07,370 --> 00:03:09,040
‫What I like to do is just copy

74
00:03:09,040 --> 00:03:11,850
‫this JSON file under my VS code.

75
00:03:11,850 --> 00:03:16,280
‫So here I paste it, I say that it is a JSON document,

76
00:03:16,280 --> 00:03:18,380
‫so we get slightly better formatting.

77
00:03:18,380 --> 00:03:22,630
‫And then using a quick action, I can basically

78
00:03:22,630 --> 00:03:26,480
‫reformat, format the file, so format the selection,

79
00:03:26,480 --> 00:03:29,380
‫and this gives me a better JSON document.

80
00:03:29,380 --> 00:03:31,810
‫So we can see now, we haven't been allowed,

81
00:03:31,810 --> 00:03:34,170
‫we didn't get an explicit denied.

82
00:03:34,170 --> 00:03:36,240
‫If it gets allowed or denied we get

83
00:03:36,240 --> 00:03:38,150
‫a matched statements, which helps us

84
00:03:38,150 --> 00:03:40,440
‫basically drill down into why there was an error,

85
00:03:40,440 --> 00:03:43,060
‫or if we get failures, they're also right here.

86
00:03:43,060 --> 00:03:44,600
‫And then it gives us a bunch of context

87
00:03:44,600 --> 00:03:46,580
‫around the API call that was made,

88
00:03:46,580 --> 00:03:50,260
‫such as the ID, the ARN of the API call,

89
00:03:50,260 --> 00:03:52,290
‫and for example here we see that it's

90
00:03:52,290 --> 00:03:53,970
‫the IAM role MyFirstEC2Role

91
00:03:53,970 --> 00:03:57,440
‫that was running from this instance ID, excellent.

92
00:03:57,440 --> 00:04:00,670
‫And then we tried to run a RunInstances API call

93
00:04:00,670 --> 00:04:02,790
‫on this resource, and it turns out

94
00:04:02,790 --> 00:04:05,580
‫that all these parameters were specified.

95
00:04:05,580 --> 00:04:07,440
‫So as you can see, there's a lot happening here.

96
00:04:07,440 --> 00:04:09,400
‫But from, what I want you to understand

97
00:04:09,400 --> 00:04:13,680
‫is that from this very cryptic, long,

98
00:04:13,680 --> 00:04:15,330
‫let me just show it to you again,

99
00:04:15,330 --> 00:04:18,100
‫from this very cryptic, long message,

100
00:04:18,100 --> 00:04:21,630
‫using the sts decode-authorization-message,

101
00:04:21,630 --> 00:04:23,870
‫we are able to decrypt it and get

102
00:04:23,870 --> 00:04:25,540
‫valuable information out of it.

103
00:04:25,540 --> 00:04:27,650
‫And that's all you should know for the exam.

104
00:04:27,650 --> 00:04:31,070
‫You have to run the sts decode-authorization-message API.

105
00:04:31,070 --> 00:04:32,010
‫So I hope that was hopeful,

106
00:04:32,010 --> 00:04:33,960
‫and I will see you in the next lecture.