How do I resolve the IAM user error "not authorized to perform iam:PassRole"?

2 minute read
0

I tried to perform an API action with an AWS Identity and Access Management (IAM) user to pass a role to an AWS service. The API action failed, and I received an error similar to the following: "You are not authorized to perform this operation. User: arn:aws:iam::123456789012:user/Bob is not authorized to perform: iam:PassRole."

Short description

Some AWS services allow you to pass an existing IAM role to that service so that you don't need to create a new service role. However, you must have permission to pass the IAM role to the AWS service.

Resolution

To resolve this issue, update the IAM policy to allow the IAM user to perform the iam:PassRole API action for the AWS service.

Note: You can use only the PassRole permission to pass an IAM role to an AWS service that shares the same AWS account, not another account. For more information, see Cross-account resource access in IAM.

The following example IAM policy allows an IAM user to pass the role that's named ExampleRole to the Amazon Elastic Compute Cloud (Amazon EC2) service:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::account-ID:role/ExampleRole",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            }
        }
    ]
}

Note: Replace ExampleRole with your role and account-ID with your account ID.

For more information, see Grant a user permissions to pass a role to an AWS service.

Related information

How to use the PassRole permission with IAM roles

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago