IAM PassRole for AWS Services

In this lesson, we explore the IAM PassRole permission—a fundamental requirement for delegating roles to AWS services such as Amazon Elastic Compute Cloud (EC2) instances and AWS Lambda functions.

Understanding IAM PassRole

To delegate a role to an AWS service, users need explicit permissions defined in an IAM policy. The iam:PassRole action specifically enables a user to transfer an existing role to another service, while the iam:GetRole action permits them to view role details.

Example IAM Policy

Below is an example policy that grants a user permission to retrieve role information and pass the role to an AWS service. The policy restricts these actions to roles matching the identifier "EC2-roles-for-XYZ-*", enhancing security by enforcing specific resource boundaries.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "iam:GetRole",
      "iam:PassRole"
    ],
    "Resource": "arn:aws:iam::account-id:role/EC2-roles-for-XYZ-*"
  }]
}

Applying the IAM Policy

When this policy is attached to a user or role, it authorizes them to assign the specified role (e.g., EC2-roles-for-XYZ-*) to AWS services. This delegation ensures that the service receives the proper permissions defined by the role while maintaining strict control over which roles can be passed.

Implementing this policy effectively enforces your AWS security best practices, ensuring that users have the necessary, yet limited, permissions to delegate roles within your environment.