Reputation: 5459
AWS Backup: Missing permission iam:PassRole
I'm currently spinning in circles trying to restore from an AWS Backup and am running into permissions errors. I have administrator access to my AWS account. I've tried creating a new policy and attach it to my user account in IAM as follows:
The issue I can't seem to get around is that I need to add the permission iam:PassRole but I can't seem to find it anywhere within the AWS portal. How can I add this permission to my policy?!
EDIT: I've created a policy with all backup permissions allowed and including iam:PassRole however I am still receiving the error message You are not authorized to perform this operation. when trying to perform the backup. The policy I've created and attached to my user looks as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"backup:*",
"iam:PassRole",
"iam:GetRole"
],
"Resource": "*"
}
]
}
Upvotes: 7
Views: 10088
Answers (2)
Reputation: 11
Attach the following as an inline policy to AWSBackupDefaultServiceRole existing role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::<AccountId>:role/*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
}
]
}
Without the condition element the policy will generate the following warning:
PassRole With Star In Resource: Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources. We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement. Learn more
We need to use wildcard (*) because the roles we're passing to various EC2 instances that are being restored will vary. To fix the policy statement we'll need to add a condition to it. If you look at the trust policy for AWSBackupDefaultServiceRole you'll see that it trusts backup.amazonaws.com but when we use iam:PassRole condition we actually need to use ec2.amazonaws.com which will pass the role to an instance that is being restored and not the intermediate service that is passing the role (backup.amazonaws.com). Documentations says:
Sometimes you pass a role to a service that then passes the role to a different service. iam:PassedToService includes only the final service that assumes the role, not the intermediate service that passes the role.
Upvotes: 1
Reputation: 5000
“To successfully do a restore with the original instance profile, you will need to make changes to the restore policy. If you apply instance profile during the restore, you must update the operator role and add PassRole permissions of the underlying instance profile role to EC2. Otherwise, Amazon EC2 won’t be able to authorize the instance launch and it will fail.”
Here is the policy you can attach to the AWS default Backup role “AWSBackupDefaultServiceRole” to work around this issue:
{
"Version": "2012–10–17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<Account-ID>:role/*"
}]}
Upvotes: 11
Related Questions
- AWS Backup from S3 Access Denied
- AWS - IAM User Role Permissions are not Propagating to User
- AWS IAM is failing with missing permissions that are unrecognized by AWS
- AWS IAM Role permission issue
- Cannot assume role on EC2 instance
- IAM role fails to give permission to an EC2 instance
- AWS iam:ListRolePolicies permissions error on all IAM service
- Facing AccessDeniedException while my user has the required permission
- Can not add AWS Resource level permissions to an Particular EC2 Instance
- AWS IAM User Permission for a specific EC2 server not working