Home > Mobile >  AWS User not authorized to perform PassRole
AWS User not authorized to perform PassRole

Time:05-04

I'm trying to create a job in AWS Glue using the Windows AWS Client and I'm receiving that I'm not authorized to perform: iam:PassRole as you can see:

Console>aws glue create-job --name "aws_glue_test" --role "My_Role" --command "Name=glueetlpythonshell,ScriptLocation=s3://mys3bucket/jobs/aws_glue_test.py,PythonVersion=3"


An error occurred (AccessDeniedException) when calling the CreateJob operation: User: arn:aws:iam::1111:user/My_User is not authorized to perform: iam:PassRole on resource: arn:aws:iam::1111:role/My_Role because no identity-based policy allows the iam:PassRole action

The configuration in AWS is set by using Terraform, something like this:



resource "aws_s3_bucket" "mys3bucket" {

  bucket = "mys3bucket"

  tags = {
    Name            = "mys3bucket"
    ITOwnerEmail    = "[email protected]"
  }

}

resource "aws_s3_bucket_acl" "mys3bucket_acl" {
  bucket = aws_s3_bucket.mys3bucket.id
  acl    = "private"
}


#=========IAM user======#

resource "aws_iam_user" "My_User" {
  name = "My_User "
  path = "/"
}


resource "aws_iam_user_policy" "My_User-p" {
  name = "My_User-p"
  user = "My_User"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::mys3bucket"
    },
    {
      "Action": "glue:*",
      "Effect": "Allow",
      "Resource": "*"
    },  
#-- THIS IS THE SOLUTION -- # 
    {
      "Action":[
            "iam:GetRole",
            "iam:PassRole"
        ],
      "Effect":"Allow",
      "Resource": "*"
    }
  ]
}
EOF
}


#===========S3-Bucket-policy=======#

resource "aws_s3_bucket_policy" "mys3bucket-p" {

  bucket = aws_s3_bucket.mys3bucket.id

  policy = <<POLICY
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1111:user/My_User"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::mys3bucket/*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1111:user/My_User"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::mys3bucket"
        }
    ]
}
POLICY
}

#===========Glue-policy=======#

resource "aws_iam_role" "My_Role" {
  name               = "My_Role"
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
              "Service": [
                   "ec2.amazonaws.com",
                   "glue.amazonaws.com"
              ]
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
EOF
}

### Attach policy to above Role ###

resource "aws_iam_role_policy_attachment" "My_Role_GlueService_attach" {
  role       = aws_iam_role.My_Role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"
}

#===========IAM-Pass-Role=======#


resource "aws_iam_policy" "My_IAMPass_policy" {
  name        = "My_IAMPass_policy"
  description = "IAM Pass Role Policy"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::1111:role/My_Role"
        }
    ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "My_IAMPass_attach" {
  role       = aws_iam_role.My_Role.name
  policy_arn = aws_iam_policy.My_IAMPass_policy.arn
}

I tried to attach IAM Pass Role but it still failing and I don't know why.

Any help is welcomed. Thank you in advance

SOLUTION: Added in the Code.

CodePudding user response:

You need to add iam:PassRole action to the policy of the IAM user that is being used to create-job. Something like:

{
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::1111:role/My_Role"
            ],
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "glue.amazonaws.com"
                    ]
                }
            }
        }
  • Related