Modify EC2 service role so that it can be assumed by an IAM user in the same account

1
votes

I have a role ssm-role for EC2. I want another IAM user to launch EC2 instance with ssm-role attached.

Policy attached with ssm-role : AmazonEC2RoleforSSM

Trust relationship for ssm-role: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com",
        "AWS": "arn:aws:iam::<ACC_ID>:user/test-user"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I have added the following inline policy for the user who wants to assume ssm-role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "test",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::<ACC_ID>:role/ssm-role"
        }
    ]
}

Despite these, test-user is not able to launch EC2 with ssm-role attached.

Any help will be greatly appreciated.

Note: test-user has EC2FullAccess

1
amazon-web-servicesamazon-ec2amazon-iamroles

1 Answers

5
votes

To launch an Amazon EC2 instance with an attached role, the IAM User making the request needs to have iam:PassRole permissions for the given role.

This is required to prevent a potential "elevation of authority" situation, such as:

  • A user has limited permissions
  • They launch an EC2 instance, specifying a Role that has elevated privileges
  • They login to the EC2 instance and use the privileges of the Role to perform functions that they would not normally be permitted to do

Thus, a user must have iam:PassRole permissions for the given role (at minimum) to be able to launch an instance that uses that role.

See: Granting a User Permissions to Pass a Role to an AWS Service - AWS Identity and Access Management