Understanding IAM Passrole

Question

I couldn't understand the use of IAM Passrole. Can anyone explain with simple example? I am referring the page : https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html but couldn't make much sense out it.

A nuance missing from the existing answers: Using `Condition` to limit where the role can be passed [IAM: Pass an IAM role to a specific AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html) — Brent Bradburn, Dec 21 '22 at 18:31

score 54 · Answer 1 · edited Dec 12 '22 at 23:37

54

PassRole is a permission granted to IAM Users and resources that permits them to use an IAM Role.

For example, imagine that there is an IAM Role called Administrators. This role has powerful permissions that should not be given to most users.

Next, imagine an IAM User who has permissions to launch an Amazon EC2 instance. While launching the instance, the user can specify an IAM Role to associate with the instance. If the user — who is not an Administrator — were to launch an EC2 instance with the Administrators role, then they could login to the instance and issue commands using permissions from that role. It would be a way for them to circumvent permissions: while not being an administrator themselves, they could assign the IAM Role to a resource, and then use that resource to gain privileged access.

To prevent this scenario, IAM requires that the user be granted the iam:PassRole permission for the Administrators role. If the user does not have that permission, then they will not be permitted to launch the EC2 instance as described, or to assign that role to any other services. It gives them permission to pass a role to a service or resource.

edited Dec 12 '22 at 23:37

Michael Wheeler

849
1
10
29

answered Jul 29 '20 at 07:32

John Rotenstein

241,921
22
380
470

Let say user is granted iam:PassRole for admin role. He create EC2 instance with Admin Role. Now can he ssh to EC2 instance and do admin activity which was not allowed to user directly? If yes then how does it solves the issue? – sanjay patel Jul 31 '21 at 15:08
1

@sanjaypatel No, you mis-read my scenario. The idea is that a non-Admin person should _not_ be given PassRole permissions for an Admin role. If they _are_given such permissions, then they can act as an Admin, which is bad. – John Rotenstein Jul 31 '21 at 22:22
@JohnRotenstein does it mean, when a non-admin user tries to launch an instance that requires admin role, it will throw error to not allow non admin user to launch instance? – Wai Yan Hein Jun 29 '23 at 21:23
2

@WaiYanHein If a user tries to launch an Amazon EC2 instance with an IAM Role and they do not have `iam:PassRole` permissions to pass that role then, yes, the launch of the instance will be denied. – John Rotenstein Jun 29 '23 at 22:43

Lamanus · Answer 2 · 2021-04-18T03:21:04.137

35

Simply,

when the service B needs the ROLE
A has the iam:PassRole permission about the ROLE,
A can give the ROLE to B.

edited Apr 18 '21 at 03:21

answered Jul 29 '20 at 07:28

Lamanus

12,898
4
21
47

score 3 · Answer 3 · answered Jul 29 '20 at 07:27

This is the permission granted for a user to be allowed to pass a role to a service during configuration, without this a user can not perform that binding. You can use this permission combined with resource Arns to limit what roles the user can pass to the service

If for example you have many applications with many different available IAM roles to choose from you might want to restrict the roles a user is able to pass to the service. You would be able to limit this scope using the below statements.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "iam:GetRole",
            "iam:PassRole"
        ],
        "Resource": [
            "arn:aws:iam::<account-id>:role/EC2-WordpressRole",
            "arn:aws:iam::<account-id>:role/EC2-DatabaseRole"
        ]
    }]
}

In the above scenario there might also be a arn:aws:iam::<account-id>:role/EC2-AdminRole but because this role grants an EC2 host permissions this user should not be able to give to an EC2 it is withheld from the EC2 list by the person who configured the permissions.

It is clear that `PassRole is a permission granted to IAM Users and resources that permits them to use an IAM Role`; In addition to users, Is this applicable to roles as well? Ex: RoleA can't create iam_users, RoleB can create iam_users; can we use iam:PassRole permissions to allow RoleA to create new iam users using perms of roleB? — DJ_Stuffy_K, Oct 05 '20 at 17:33
Yes a role can assume another role with permissions, in fact its why external IDs exist to prevent the situation where a role in one account can hop from one account to another, when they should not have permission: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html. — Chris Williams, Oct 05 '20 at 17:52
Thank you @chris-williams , I'm trying to accomplish the same https://stackoverflow.com/questions/64212547/creating-iam-user-and-aws-secrets-via-iampassrole but unable to understand what I'm doing wrong. Would appreciate it if you could shed some light on it. — DJ_Stuffy_K, Oct 05 '20 at 18:09

Understanding IAM Passrole

3 Answers3

Linked