By using AWS re:Post, you agree to the Terms of Use

I need to attach IAM role to my EC2 instance.

0

PentestEnvironment-Deployment-Role/octopus is not authorized to perform: iam:PassRole on resource. I have CF template which create Ec2 and Iam role for my env and all this env I create from not-root account. Iam Role for this account it's only main part: { "Sid": "IAM1", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam:::role/Pentest-EC2-Role" ], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" }, "StringLike": { "iam:AssociatedResourceARN": [ "arn:aws:ec2:us-west-2::instance/" ] } } }, { "Sid": "IAM2", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:CreateRole", "iam:DeleteRole", "iam:DetachRolePolicy", "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:GetRolePolicy" ], "Resource": [ "arn:aws:iam:::role/Pentest-EC2-Role" ] }, { "Sid": "IAM3", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": [ "" ] }, { "Sid": "IAM4", "Effect": "Allow", "Action": [ "iam:GetPolicy", "iam:CreatePolicy", "iam:ListPolicyVersions", "iam:CreatePolicyVersion", "iam:DeletePolicy", "iam:DeletePolicyVersion" ], "Resource": [ "arn:aws:iam:::policy/Pentest-AWS-resources-Access" ] }, { "Sid": "IAM5", "Effect": "Allow", "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:AddRoleToInstanceProfile" ], "Resource": "arn:aws:iam:::instance-profile/Pentest-Instance-Profile" }, { "Sid": "EC2InstanceProfile", "Effect": "Allow", "Action": [ "ec2:DisassociateIamInstanceProfile", "ec2:AssociateIamInstanceProfile", "ec2:ReplaceIamInstanceProfileAssociation" ], "Resource": "arn:aws:ec2:::instance/" } ] }

Why do I have this error?

1 Answers
0

Hi

I think you can add another permission on the policy to recheck if the issue persists again.

{ 
    "Sid": "IAM1", 
    "Effect": "Allow", 
    "Action": [ "iam:PassRole","iam:GetRole" ], 
    "Resource": [ "arn:aws:iam:::role/Pentest-EC2-Role" ], 
    "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" }, 
    "StringLike": { "iam:AssociatedResourceARN": [ "arn:aws:ec2:us-west-2::instance/" ] } } 
}

Check the EC2 trusted policy is there and its correct.

Test the Policies: You can use AWS IAM simulator to check if the policy permissions are okay https://policysim.aws.amazon.com/home/index.jsp?#

answered a month ago
  • Thanks you! I need to take away the condition from policy! And works)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions