You may see iam::PassRole errors popping up when using services.
Most of the time, it is because you are using a non-root account (or IAM user), and the account lacks the iam::PassRole permission. Add this permission to said account will fix the error.
Synopsis
AWS Services cannot directly assume service-linked roles. The role must be passed to the service by a user with the iam::PassRole permission.
The role-passing needs to be done only once. After that the service can assume the role repeatedly.
EC2 Instance profile is implemented this way. When a user launches an instance, it passes a role to the instance to act as an instance profile. Many other service-linked roles are also passed in this way.
Do not confuse it with the iam::CreateRole permission. A user may freely create service-linked roles, but is unable to pass the role to a service when needed.
In the management console, and to some extent in the CLI commands, role-passing is implicit, so you may encounter it without clear error messages when using non-root accounts.
See Also
- Official docs, elaborate, but not very neat
