I'm trying to create a job in AWS Glue using the Windows AWS Client and I'm receiving that I'm not authorized to perform: iam:PassRole as you can see:
Console>aws glue create-job --name "aws_glue_test" --role "My_Role" --command "Name=glueetlpythonshell,ScriptLocation=s3://mys3bucket/jobs/aws_glue_test.py,PythonVersion=3"
An error occurred (AccessDeniedException) when calling the CreateJob operation: User: arn:aws:iam::1111:user/My_User is not authorized to perform: iam:PassRole on resource: arn:aws:iam::1111:role/My_Role because no identity-based policy allows the iam:PassRole action
The configuration in AWS is set by using Terraform, something like this:
resource "aws_s3_bucket" "mys3bucket" {
bucket = "mys3bucket"
tags = {
Name = "mys3bucket"
ITOwnerEmail = "[email protected]"
}
}
resource "aws_s3_bucket_acl" "mys3bucket_acl" {
bucket = aws_s3_bucket.mys3bucket.id
acl = "private"
}
#=========IAM user======#
resource "aws_iam_user" "My_User" {
name = "My_User "
path = "/"
}
resource "aws_iam_user_policy" "My_User-p" {
name = "My_User-p"
user = "My_User"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mys3bucket"
},
{
"Action": "glue:*",
"Effect": "Allow",
"Resource": "*"
},
#-- THIS IS THE SOLUTION -- #
{
"Action":[
"iam:GetRole",
"iam:PassRole"
],
"Effect":"Allow",
"Resource": "*"
}
]
}
EOF
}
#===========S3-Bucket-policy=======#
resource "aws_s3_bucket_policy" "mys3bucket-p" {
bucket = aws_s3_bucket.mys3bucket.id
policy = <<POLICY
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111:user/My_User"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::mys3bucket/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111:user/My_User"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mys3bucket"
}
]
}
POLICY
}
#===========Glue-policy=======#
resource "aws_iam_role" "My_Role" {
name = "My_Role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"glue.amazonaws.com"
]
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
### Attach policy to above Role ###
resource "aws_iam_role_policy_attachment" "My_Role_GlueService_attach" {
role = aws_iam_role.My_Role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"
}
#===========IAM-Pass-Role=======#
resource "aws_iam_policy" "My_IAMPass_policy" {
name = "My_IAMPass_policy"
description = "IAM Pass Role Policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::1111:role/My_Role"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "My_IAMPass_attach" {
role = aws_iam_role.My_Role.name
policy_arn = aws_iam_policy.My_IAMPass_policy.arn
}
I tried to attach IAM Pass Role but it still failing and I don't know why.
Any help is welcomed. Thank you in advance
SOLUTION: Added in the Code.
CodePudding user response:
You need to add iam:PassRole action to the policy of the IAM user that is being used to create-job. Something like:
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::1111:role/My_Role"
],
"Condition": {
"StringLike": {
"iam:PassedToService": [
"glue.amazonaws.com"
]
}
}
}