When you get this kind of message:
"code": "UnauthorizedOperation",
"message": "You are not authorized to perform this operation. Encoded authorization failure message: Q92aQ6....
Make sure you have the proper set of IAM rights, I simply use an assumable administrator role:
eval $(aws sts assume-role \
--role-arn arn:aws:iam::1234567:role/mgmt-assumable-role \
--role-session-name test | \
jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=\(.SessionToken)"')
Last, decode the message:
aws sts decode-authorization-message --encoded-message <encdoedMsg> --query DecodedMessage --output text | jq '.'