Fixing iam::PassRole Errors

You may see iam::PassRole errors popping up when using services.

Most of the time, it is because you are using a non-root account (or IAM user), and the account lacks the iam::PassRole permission. Add this permission to said account will fix the error.

Synopsis

AWS Services cannot directly assume service-linked roles. The role must be passed to the service by a user with the iam::PassRole permission.

The role-passing needs to be done only once. After that the service can assume the role repeatedly.

EC2 Instance profile is implemented this way. When a user launches an instance, it passes a role to the instance to act as an instance profile. Many other service-linked roles are also passed in this way.

Do not confuse it with the iam::CreateRole permission. A user may freely create service-linked roles, but is unable to pass the role to a service when needed.

In the management console, and to some extent in the CLI commands, role-passing is implicit, so you may encounter it without clear error messages when using non-root accounts.

See Also