DEV Community

Cover image for [AWS Experiment] 5 - IAM:PassRole
Sunbeom Kweon (Ben)
Sunbeom Kweon (Ben)

Posted on • Updated on

[AWS Experiment] 5 - IAM:PassRole

IAM:PassRole may have been confusing to you. But here is the most clear explanation of what IAM:PassRole does.

IAM:PassRole Overview

What exactly "passing" a role?

  • Whenever you create any AWS services on console, you would often find "attaching existing roles / create roles" option. This is the most use case of IAM:PassRole. Without IAM:PassRole permission, we cannot give any IAM Role to services.

  • Technically "passing" a role is the same as "attaching" a role to any AWS services.

What is IAM:PassRole?

  • IAM:PassRole basically allows an IAM user / role to pass a specific role(s) to another any AWS services, nothing more than that. AWS Documentation

  • Diagram

Image description

  • So any role can be passed to any services?

    • No. Only when the role has the service - that you want to pass(attach) a role - as 'trusted entities (Trust Relationships)'
    • To pass a role, we first need to create a correct trust relationships.
    • Normally this rule tend to be overlooked, because AWS manages for us most of the time.

Experiment

  • Notice that the custom role Demo_EC2_ IAMReadOnlyPermission that I am using for this experiment has ec2.amazonaws.com as its trusted entities.

Create an IAM User without any IAM:PassRole permission

Image description

Created an IAM User user-with-no-PassRole

Image description

Denied all PassRole permission

  • Expected result: Whenever I try to create any AWS service with any role attached, it must be denied.

Launching EC2 with role attached

Image description

Giving IAMReadOnlyPermission to the instance

Image description

The launch failed

Change the policy and re-launch the EC2 instance

Image description

Changed the policy if the aws:Service equals to ec2 then allow

Image description

And the launch succeeded

Examples

Allow an IAM user or role to pass any role to the Amazon EC2 service to be used with instances in the Region us-east-1 or us-west-1 (IAM Policy).

{
    "Effect": "Allow",
    "Action": "iam:PassRole",
    "Resource": "*",
    "Condition": {
        "StringEquals": {"iam:PassedToService": "ec2.amazonaws.com"},
        "StringLike": {
            "iam:AssociatedResourceARN": [
                "arn:aws:ec2:us-east-1:111122223333:instance/*",
                "arn:aws:ec2:us-west-1:111122223333:instance/*"
            ]
        }
    }
}
Enter fullscreen mode Exit fullscreen mode

Allow passing any IAM service role to the Amazon CloudWatch service (IAM Policy).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {"iam:PassedToService": "cloudwatch.amazonaws.com"}
            }
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Conclusion

  • Without IAM:PassRole we cannot attach any role to other AWS service using current IAM User, Role, or Group.

Top comments (0)