CloudFormation is not authorized to perform: iam:PassRole on resource

iam:passrole cloudformation
user: anonymous is not authorized to perform: iam:passrole on resource:
iam:passrole explained
assumed-role is not authorized to perform: iam:passrole on resource
cloudformation iam role
iam:passrole ecs
iam:passedtoservice
iam:passrole cross account

This is part of the code of my template.yml in Cloud9:

Type: 'AWS::Serverless::Function'
Properties:
  Handler: index.handler
  Runtime: nodejs6.10
  CodeUri: .
  Description: Updates records in the AppConfig table.
  MemorySize: 128
  Timeout: 3
  Role: 'arn:aws:iam::579913947261:role/FnRole'
  Events:
    Api1:
      Type: Api
      Properties:

When I commit the changes in Cloud9, deployment fails at CodePipeline Deploy stage while trying ExecuteChangeSet. I get this error:

CloudFormation is not authorized to perform: iam:PassRole on resource

Can anyone help?

While I can't say specifically what happened in your situation, the error message means that the Role/User that CloudFormation used to deploy resources did not have appropriate iam:PassRole permissions.

The iam:PassRole permission is used when assigning a role to resources. For example, when an Amazon EC2 instance is launched with an IAM Role, the entity launching the instance requires permission to specify the IAM Role to be used. This is done to prevent users gaining too much permission. For example, a non-administrative user should not be allowed to launch an instance with an Administrative role, since they would then gain access to additional permissions to which they are not entitled.

In the case of your template, it would appear that CloudFormation is creating a function and is assigning the FnRole permission to that function. However, the CloudFormation template has not been given permission to assign this role to the function.

When a CloudFormation template is launched, it either provisions resources as the user who is creating the stack, or using an IAM Role specified when the stack is launched. It is that User/Role that requires the iam:PassRole permissions to use FnRole.

Granting a User Permissions to Pass a Role to an AWS Service , Grant permissions to an IAM user to pass a role to an AWS service. You only have to pass the role to the service once during set-up, and not and permissions to authorize the application to perform actions in AWS. you can filter the iam:PassRole permission with the Resources element of the IAM policy statement. Your CloudFormation role summary will look like the screenshot below. Click on Add inline policy button to open up policy editor and select JSON tab when it is opened. Paste in the following JSON object into the input field. You may not need all, thus, you can experiment by adding iam:CreateRole first and add other actions when they are needed.

AWS CloudFormation Service Role, Use an IAM service role to give AWS CloudFormation permission to make (IAM​) role that allows AWS CloudFormation to make calls to resources in a stack on your behalf. the actions that AWS CloudFormation can perform which might not always be the The iam:PassRole permission specifies which roles you can use​. Even after adding ""AdministratorAccess" I still get the error, is not authorized to perform: cloudformation:DescribeStacks on resource: 😕 6 This comment has been minimized.

If you change the name of the role from: RoleName: 'arn:aws:iam::579913947261:role/FnRole'

To include the prefix of CodeStar-${ProjectId} then the role can be created/updated/etc without having to modify the IAM policy of the CodeStarWorker-AppConfig-CloudFormation role. e.g. RoleName: !Sub 'CodeStar-${ProjectId}-[FunctionName]'

I posted a full explanation here: Change IAM Role for a Lambda in a CloudFormation template in a CodeStar project?

Pass role permissions - AWS IoT, The user performing this operation requires the iam:PassRole permission. you do not pass a role, so the user creating the rule does not need the iam:PassRole function authorization, see Granting Permissions Using a Resource Policy. I'm Not Authorized to Perform: iam:PassRole When you create a service-linked role, you must have permission to pass that role to the service.

Troubleshooting AWS CodePipeline Identity and Access , If you receive an error that you're not authorized to perform the iam:PassRole To learn how to provide access to your resources to third-party AWS accounts,  The example output shows that the default IAM role named AWSBackupDefaultServiceRole was used to run the restore job. This role must have permission to iam:PassRole

User is not authorized to perform: iam:PassRole on resource , I would try removing the user from the trust relationship (which is unnecessary anyways). AWS services don't play well when having a mix of accounts and  Now try to deploy the following Cloudformation templates: stack-with-permissions-boundary.json — it will succeed, as IAMRole creating with PermissionsBoundary attached. stack-without-permissions-boundary.json — it will fail with message “User is not authorized to perform: iam:CreateRole”.

How is iam:PassRole managed to control server credentials?, is the permission that controls which users can delegate an IAM role to an AWS resource. This allows the service to later assume the role and perform actions on your behalf. You only have to pass the role to the service once during set-up, and not every time that the service assumes the role.

Comments
  • Thanks for the info. Sorry, I should of posted more log info. User: arn:aws:sts::156478935478:assumed-role/CodeStarWorker-AppConfig-CloudFormation/AWSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::156478935478:role/service-role/FnRole(Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 129f601b-a425-11e8-9659-410b0cc8f4f9) I am aware that I need to give permission to CloudFormation but I didn't know how to do that and where.
  • @John Rotenstein accurate and well explained answer.
  • thanks for helping in formatting the answer @John Rotenstein and wish I can mark your answer as useful but I need to have 15 reputation.
  • you wont get reputation on answering own question. This is how stack overflow works.
  • there is a small gotcha here to @SecondOfTwo 's answer, if it is an AWS Managed Policy you can't edit it , which is often the case using codepipeline. Just create new policy an attach to Role.