1 Answer
- Newest
- Most votes
- Most comments
2
Hello.
Do you have your IAM user policy set to allow "iam:PassRole"?
Failure to do so will result in an error when setting up the IAM role on EC2.
Specifically, make sure the following policy settings are in place.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
}
]
}
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
Thanks for the reply. Decode the error message with the following command. Can you share the error message after decoding?
Not working, this is the inline policy attached to the user doing this action:- { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRoleTags", "iam:ListRoles", "iam:ListRolePolicies", "iam:GetRolePolicy", "iam:PassRole", "iam:" ], "Resource": "" }, { "Sid": "ListEc2AndListInstanceProfiles", "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "ec2:Describe*", "ec2:Search*", "ec2:Get*" ], "Resource": "*" } ] }
decoded error message:- "DecodedMessage":"{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"AIDAWVO7QCYB3TM","name":"developer","arn":"arn:aws:iam::9387594693756:user/developer"},"action":"ec2:ReplaceIamInstanceProfileAssociation","resource":"arn:aws:ec2:us-east-1:9387594693756:instance/i-0062c02384dd31df1","conditions":{"items":[{"key":"ec2:InstanceAutoRecovery","values":{"items":[{"value":"default"}]}},{"key":"ec2:MetadataHttpPutResponseHopLimit","values":{"items":[{"value":"2"}]}},{"key":"ec2:InstanceMarketType","
Thank you for sharing your message. From the message, it seems that the "ec2:ReplaceIamInstanceProfileAssociation" is missing from the user's policy. So, please add "ec2:ReplaceIamInstanceProfileAssociation".