User: arn:aws:sts::357:assumed-role/ExternalDeveloper/ is not authorized to perform: iam:PassRole on resource: arn:aws:iam::357:role/ExternalDeveloper because no iden


I am getting this error when I try to export a RDS snapshot to s3.I am logged in with ExternalDeveloper role to one of my AWS accounts.

Which policy should I attach to resolve this and how can we make changes to the permissions of ExternalDeveloper role.

Please help me resolve this.

asked 3 months ago102 views
1 Answer

Before you export DB snapshot data to Amazon S3, give the snapshot export tasks write-access permission to the Amazon S3 bucket.

To grant this permission, create an IAM policy that provides access to the bucket, then create an IAM role and attach the policy to the role. You later assign the IAM role to your snapshot export task.

To give DB snapshot tasks access to Amazon S3

Create an IAM policy. This policy provides the bucket and object permissions that allow your snapshot export task to access Amazon S3. In the policy, include the following required actions to allow the transfer of files from Amazon RDS to an S3 bucket:

  • s3:PutObject*
  • s3:GetObject*
  • s3:ListBucket
  • s3:DeleteObject*
  • s3:GetBucketLocation

In the policy, include the following resources to identify the S3 bucket and objects in the bucket. The following list of resources shows the Amazon Resource Name (ARN) format for accessing Amazon S3. arn:aws:s3:::your-s3-bucket arn:aws:s3:::your-s3-bucket/* For more information on creating an IAM policy for Amazon RDS, see Creating and using an IAM policy for IAM database access. See also Tutorial: Create and attach your first customer managed policy in the IAM User Guide. The following AWS CLI command creates an IAM policy named ExportPolicy with these options. It grants access to a bucket named your-s3-bucket.

Create an IAM role, so that Amazon RDS can assume this IAM role on your behalf to access your Amazon S3 buckets. For more information, see Creating a role to delegate permissions to an IAM user in the IAM User Guide. The following example shows using the AWS CLI command to create a role named rds-s3-export-role.

Attach the iam policy to the role.

profile picture
answered 3 months ago
  • Hey Gary,

    Thanks for the prompt reply. Before creating a new policy, can I get around a way to resolve my ExternalDeveloper role issue.

    I am switching role to this account, by using "ExternalDeveloper" in the role field. I assume this is part of "AssumeRole" policy.

    But how can I increase the permissions of my ExternalDeveloper Role or can I switch with a new role.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content