AWS Certified Developer - Associate
Identity and Access Management IAM
IAM PassRole for AWS Services
In this lesson, we explore the IAM PassRole permission—a fundamental requirement for delegating roles to AWS services such as Amazon Elastic Compute Cloud (EC2) instances and AWS Lambda functions.
Key Information
The IAM PassRole permission is essential for allowing users to delegate existing roles to AWS services. Explicit permissions must be granted for every AWS operation, ensuring that users only pass roles they are authorized to assign.
Understanding IAM PassRole
To delegate a role to an AWS service, users need explicit permissions defined in an IAM policy. The iam:PassRole
action specifically enables a user to transfer an existing role to another service, while the iam:GetRole
action permits them to view role details.
Example IAM Policy
Below is an example policy that grants a user permission to retrieve role information and pass the role to an AWS service. The policy restricts these actions to roles matching the identifier "EC2-roles-for-XYZ-*", enhancing security by enforcing specific resource boundaries.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::account-id:role/EC2-roles-for-XYZ-*"
}]
}
Policy Breakdown
- The
iam:GetRole
action allows a user to read the details of a role. - The
iam:PassRole
action enables the user to assign the role to an AWS service, such as an EC2 instance. - The
Resource
field specifies that the policy applies only to roles matching the pattern "EC2-roles-for-XYZ-*".
Applying the IAM Policy
When this policy is attached to a user or role, it authorizes them to assign the specified role (e.g., EC2-roles-for-XYZ-*
) to AWS services. This delegation ensures that the service receives the proper permissions defined by the role while maintaining strict control over which roles can be passed.
Implementing this policy effectively enforces your AWS security best practices, ensuring that users have the necessary, yet limited, permissions to delegate roles within your environment.
Watch Video
Watch video content