PentestEnvironment-Deployment-Role/octopus is not authorized to perform: iam:PassRole on resource. I have CF template which create Ec2 and Iam role for my env and all this env I create from not-root account.
Iam Role for this account it's only main part:
{
"Sid": "IAM1",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam:::role/Pentest-EC2-Role"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
},
"StringLike": {
"iam:AssociatedResourceARN": [
"arn:aws:ec2:us-west-2::instance/"
]
}
}
},
{
"Sid": "IAM2",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam:::role/Pentest-EC2-Role"
]
},
{
"Sid": "IAM3",
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
""
]
},
{
"Sid": "IAM4",
"Effect": "Allow",
"Action": [
"iam:GetPolicy",
"iam:CreatePolicy",
"iam:ListPolicyVersions",
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion"
],
"Resource": [
"arn:aws:iam:::policy/Pentest-AWS-resources-Access"
]
},
{
"Sid": "IAM5",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:AddRoleToInstanceProfile"
],
"Resource": "arn:aws:iam:::instance-profile/Pentest-Instance-Profile"
},
{
"Sid": "EC2InstanceProfile",
"Effect": "Allow",
"Action": [
"ec2:DisassociateIamInstanceProfile",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation"
],
"Resource": "arn:aws:ec2:::instance/"
}
]
}
Why do I have this error?
Thanks you! I need to take away the condition from policy! And works)