IAM:PassRole may have been confusing to you. But here is the most clear explanation of what IAM:PassRole does.
IAM:PassRole Overview
What exactly "passing" a role?
Whenever you create any AWS services on console, you would often find "attaching existing roles / create roles" option. This is the most use case of IAM:PassRole. Without IAM:PassRole permission, we cannot give any IAM Role to services.
Technically "passing" a role is the same as "attaching" a role to any AWS services.
What is IAM:PassRole?
IAM:PassRole basically allows an IAM user / role to pass a specific role(s) to another any AWS services, nothing more than that. AWS Documentation
Diagram
-
So any role can be passed to any services?
- No. Only when the role has the service - that you want to pass(attach) a role - as 'trusted entities (Trust Relationships)'
- To pass a role, we first need to create a correct trust relationships.
- Normally this rule tend to be overlooked, because AWS manages for us most of the time.
Experiment
- Notice that the custom role
Demo_EC2_ IAMReadOnlyPermission
that I am using for this experiment hasec2.amazonaws.com
as its trusted entities.
Create an IAM User without any IAM:PassRole permission
Created an IAM User
user-with-no-PassRole
Denied all PassRole permission
- Expected result: Whenever I try to create any AWS service with any role attached, it must be denied.
Launching EC2 with role attached
Giving IAMReadOnlyPermission to the instance
The launch failed
Change the policy and re-launch the EC2 instance
Changed the policy if the aws:Service equals to ec2 then allow
And the launch succeeded
Examples
Allow an IAM user or role to pass any role to the Amazon EC2 service to be used with instances in the Region us-east-1 or us-west-1 (IAM Policy).
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {"iam:PassedToService": "ec2.amazonaws.com"},
"StringLike": {
"iam:AssociatedResourceARN": [
"arn:aws:ec2:us-east-1:111122223333:instance/*",
"arn:aws:ec2:us-west-1:111122223333:instance/*"
]
}
}
}
Allow passing any IAM service role to the Amazon CloudWatch service (IAM Policy).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {"iam:PassedToService": "cloudwatch.amazonaws.com"}
}
}
]
}
Conclusion
- Without IAM:PassRole we cannot attach any role to other AWS service using current IAM User, Role, or Group.
Top comments (0)