Expand description
Encode and decode the opaque deny-reason token returned to clients
when an IAM check denies a request, and consumed by
sts:DecodeAuthorizationMessage.
AWS treats the encoded message as an opaque blob; the documented
contract is “pass it back to DecodeAuthorizationMessage and you’ll
get JSON describing why the request was denied”. We do the same:
the token is a deflate-compressed JSON document, base64-encoded.
The decoder reverses the transformation, so any deny-time site that
calls encode_deny gets a real round-trip without needing a
separate state map.
This module lives in fakecloud-core so the dispatch layer (which
turns Decision::Deny into an AccessDeniedException) can produce
the encoded message inline. fakecloud-iam re-exports the same
functions for the STS service that decodes them.
Functions§
- decode_
message - Reverse
encode_deny. Returns the JSON document the encoder stashed, or anInvalidAuthorizationMessageException-shaped error when the token isn’t recognizable. Tokens that decode but don’t look like deny payloads are still returned verbatim — AWS’s behavior is to hand back whatever JSON it finds rather than try to interpret it. - encode_
deny - Build an encoded authorization message describing a deny decision.
The shape mirrors what AWS returns from
DecodeAuthorizationMessage: anallowedflag, anexplicitDenyflag, and amatchedStatements.itemsarray. Optional supplementary keys (action,principal,context) are included so an operator inspecting the decoded blob can see why the request failed.