I tried to perform an API action with an AWS Identity and Access Management (IAM) user to pass a role to an AWS service. The API action failed, and I received an error similar to the following: "You are not authorized to perform this operation. User: arn:aws:iam::123456789012:user/Bob is not authorized to perform: iam:PassRole."
Short description
Some AWS services allow you to pass an existing IAM role to that service so that you don't need to create a new service role. However, you must have permission to pass the IAM role to the AWS service.
Resolution
To resolve this issue, update the IAM policy to allow the IAM user to perform the iam:PassRole API action for the AWS service.
Note: You can use only the PassRole permission to pass an IAM role to an AWS service that shares the same AWS account, not another account. For more information, see Cross-account resource access in IAM.
The following example IAM policy allows an IAM user to pass the role that's named ExampleRole to the Amazon Elastic Compute Cloud (Amazon EC2) service:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::account-ID:role/ExampleRole",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
}
]
}
Note: Replace ExampleRole with your role and account-ID with your account ID.
For more information, see Grant a user permissions to pass a role to an AWS service.
Related information
How to use the PassRole permission with IAM roles