Creating AWS File Gateway Share with an Existing Role

Question

I have an AWS File Gateway. I am able to create a share to an S3 bucket ONLY if I let the AWS console create a new IAM role. If I select Use an Existing Role I get the error:

Failed to create file share

User: arn:aws:iam::024123456789:root is not authorized to perform: iam:PassRole on resource: my-storage-gateway-role (Request ID: f14a287d-e266- 11e7-bd3b-49a5a190c50e)

I have tried this using both IAM users with administrative access and with the root user. Every time results in this same error. Here is the policy that my administrators have:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Isn't this policy sufficient to do pretty much anything? Any ideas what is causing this error?

Answer 1

Scott here with AWS, I understand that when you try to create your own IAM role that has admin permissions for your SGW, you're still not able to create a file share with your S3 bucket.

Looking into the issue, the most likely reason for this error is because the your account doesn't have the correct permissions to assume the role with Storage Gateway[1]:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "storagegateway.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Since you have admin access on the the role, you don't need to change the policy for permissions.

After logging into my root account, I wasn't able to reproduce this issue even when creating a new role for the file share.

Are you able to share the role you are trying to use?

[1]http://docs.aws.amazon.com/storagegateway/latest/userguide/managing-gateway-file.html#grant-access-s3