- Newest
- Most votes
- Most comments
In the end the solution was to use this:
And directly add another principal policy to allow role assume.
Hello.
If you just want to attach a created IAM role to an AWS resource, you can attach the IAM role by allowing "iam:PassRole" as shown in the error message.
So please try creating a custom policy like the one below or adding an inline policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
}
]
}
The error message you got is not because the role with that policy can't do role assumptions. It is because the action you are taking requires the current role/user has "PassRole" permission. You are 'passing a role for an AWS service to assume'.
Many services require that permission when you want that service to use a role you configure. For example, you might be launching an instance assigning that instance the role of "arn:aws:iam::xyz:role/foo". EC2 requires you to have the permission to do "PassRole" on "foo". The PowerUserAccess does not include the permission of PassRole. You can define a additional custom policy (like the example Riku_Kobayashi gave) and use that in the PermissionSet. You should be very careful with that custom policy so that people won't be abusing it to escalate permissions, for example pass a more powerful role to an EC2 instance and then escalate from there. Instead of using "*" as in Riku's example, put in more specific resources and use conditions like iam:PassedToService to limit what services to allow roles to be passed to (see some examples in the user doc below).
For explanation of the concept and how to use PassRole, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
Relevant content
- Accepted Answerasked 4 months ago
- Accepted Answerasked 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 9 months ago