Understanding IAM Passrole

Question

I couldn't understand the use of IAM Passrole. Can anyone explain with simple example? I am referring the page : https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html but couldn't make much sense out it.

Answer 1

PassRole is a permission granted to IAM Users and resources that permits them to use an IAM Role.

For example, imagine that there is an IAM Role called Administrators. This role has powerful permissions that should not be given to most users.

Next, imagine an IAM User who has permissions to launch an Amazon EC2 instance. While launching the instance, the user can specify an IAM Role to associate with the instance. If the user (who is not an Administrator) were to launch an EC2 instance with the Administrators role, then they could login to the instance and issue commands using permissions from that role. It would be a way for them to circumvent permissions because, while not being an administrator themselves, they could assign the IAM Role to a resource and then use that resource to gain privileged access.

To prevent this scenario, the user must be granted iam:PassRole permission for that IAM Role. If they do not have that permission, then they will not be permitted to launch the instance or assign the role within other services. It gives them permission to pass a role to a service or resource.

Answer 2

Simply,

• when the service B needs the ROLE
• A has the iam:PassRole permission about the ROLE,
• A can give the ROLE to B.

Answer 3

This is the permission granted for a user to be allowed to pass a role to a service during configuration, without this a user can not perform that binding. You can use this permission combined with resource Arns to limit what roles the user can pass to the service

If for example you have many applications with many different available IAM roles to choose from you might want to restrict the roles a user is able to pass to the service. You would be able to limit this scope using the below statements.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "iam:GetRole",
            "iam:PassRole"
        ],
        "Resource": [
            "arn:aws:iam::<account-id>:role/EC2-WordpressRole",
            "arn:aws:iam::<account-id>:role/EC2-DatabaseRole"
        ]
    }]
}

In the above scenario there might also be a arn:aws:iam::<account-id>:role/EC2-AdminRole but because this role grants an EC2 host permissions this user should not be able to give to an EC2 it is withheld from the EC2 list by the person who configured the permissions.