Fixing iam::PassRole Errors

You may see iam::PassRole errors popping up when using services.

Most of the time, it is because you are using a non-root account (or IAM user), and the account lacks the iam::PassRole permission. Add this permission to said account will fix the error.

Synopsis

AWS Services cannot directly assume service-linked roles. The role must be passed to the service by a user with the iam::PassRole permission.

The role-passing needs to be done only once. After that the service can assume the role repeatedly.

EC2 Instance profile is implemented this way. When a user launches an instance, it passes a role to the instance to act as an instance profile. Many other service-linked roles are also passed in this way.

Do not confuse it with the iam::CreateRole permission. A user may freely create service-linked roles, but is unable to pass the role to a service when needed.

In the management console, and to some extent in the CLI commands, role-passing is implicit, so you may encounter it without clear error messages when using non-root accounts.

See Also

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s