Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

I need to attach IAM role to my EC2 instance.

0

PentestEnvironment-Deployment-Role/octopus is not authorized to perform: iam:PassRole on resource. I have CF template which create Ec2 and Iam role for my env and all this env I create from not-root account. Iam Role for this account it's only main part: { "Sid": "IAM1", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam:::role/Pentest-EC2-Role" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": [ "arn:aws:ec2:us-west-2::instance/" ] } } }, { "Sid": "IAM2", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:CreateRole", "iam:DeleteRole", "iam:DetachRolePolicy", "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:GetRolePolicy" ], "Resource": [ "arn:aws:iam:::role/Pentest-EC2-Role" ] }, { "Sid": "IAM3", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": [ "" ] }, { "Sid": "IAM4", "Effect": "Allow", "Action": [ "iam:GetPolicy", "iam:CreatePolicy", "iam:ListPolicyVersions", "iam:CreatePolicyVersion", "iam:DeletePolicy", "iam:DeletePolicyVersion" ], "Resource": [ "arn:aws:iam:::policy/Pentest-AWS-resources-Access" ] }, { "Sid": "IAM5", "Effect": "Allow", "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:AddRoleToInstanceProfile" ], "Resource": "arn:aws:iam:::instance-profile/Pentest-Instance-Profile" }, { "Sid": "EC2InstanceProfile", "Effect": "Allow", "Action": [ "ec2:DisassociateIamInstanceProfile", "ec2:AssociateIamInstanceProfile", "ec2:ReplaceIamInstanceProfileAssociation" ], "Resource": "arn:aws:ec2:::instance/" } ] }

Why do I have this error?

Themen
Sicherheit, Identität & KonformitätKalkulation
Tags
Sicherheit, Identität & KonformitätAWS Identity and Access ManagementAmazon EC2IAM-Richtlinien
Sprache
English
Yurii
gefragt vor 2 Jahren904 Aufrufe
1 Antwort
1

Hi

I think you can add another permission on the policy to recheck if the issue persists again.

{ 
    "Sid": "IAM1", 
    "Effect": "Allow", 
    "Action": [ "iam:PassRole","iam:GetRole" ], 
    "Resource": [ "arn:aws:iam:::role/Pentest-EC2-Role" ], 
    "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" }, 
    "StringLike": { "iam:AssociatedResourceARN": [ "arn:aws:ec2:us-west-2::instance/" ] } } 
}

Check the EC2 trusted policy is there and its correct.

Test the Policies: You can use AWS IAM simulator to check if the policy permissions are okay https://policysim.aws.amazon.com/home/index.jsp?#

profile picture
GK
beantwortet vor 2 Jahren
  • Yurii
    vor 2 Jahren

    Thanks you! I need to take away the condition from policy! And works)

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt