From f0acfa8d40428c0b0bade2777a3b9e2146701ac3 Mon Sep 17 00:00:00 2001
From: Michael Golowka <72365+pcman312@users.noreply.github.com>
Date: Mon, 17 May 2021 14:45:13 -0600
Subject: [PATCH] AWS Auth: Update error message to include underlying error
 (#11638) (#11639)

---
 builtin/credential/aws/path_login.go | 2 +-
 changelog/11638.txt                  | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 changelog/11638.txt

diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go
index 499c734aebdb1..959e4493b7f56 100644
--- a/builtin/credential/aws/path_login.go
+++ b/builtin/credential/aws/path_login.go
@@ -1356,7 +1356,7 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
 	if roleEntry.InferredEntityType == ec2EntityType {
 		instance, err := b.validateInstance(ctx, req.Storage, entity.SessionInfo, roleEntry.InferredAWSRegion, callerID.Account)
 		if err != nil {
-			return logical.ErrorResponse(fmt.Sprintf("failed to verify %s as a valid EC2 instance in region %s", entity.SessionInfo, roleEntry.InferredAWSRegion)), nil
+			return logical.ErrorResponse("failed to verify %s as a valid EC2 instance in region %s: %s", entity.SessionInfo, roleEntry.InferredAWSRegion, err), nil
 		}
 
 		// build a fake identity doc to pass on metadata about the instance to verifyInstanceMeetsRoleRequirements
diff --git a/changelog/11638.txt b/changelog/11638.txt
new file mode 100644
index 0000000000000..5ed50652b150f
--- /dev/null
+++ b/changelog/11638.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/aws: Underlying error included in validation failure message.
+```