Error Message :- When I was working with AWS Glue Interactive session, I got an error User arn:aws:iam::<$aws-account-id>:role/AWSGlueServiceRole-glueworkshop/GlueJobRunnerSession is not authorized to perform iam:PassRole on recsource arn:aws:iam::<$aws-account-id>:role/AWSGlueServiceRole-glueworkshop because no identify-based policy allows the iam:PassRole action.
However, you may receive similar error message while working with other services too.
Before we move with resolution, let’s understand what iam:PassRole is ?
As per AWS Document –
To configure many AWS services, you must pass an IAM role to the service. This allows the service to assume the role later and perform actions on your behalf. For most services, you only have to pass the role to the service once during setup, and not every time that the service assumes the role.
Now let’s move to Solution :-
- Copy the arn (amazon resource name) from error message e.g. arn:aws:iam::<aws-account-number>:role/AWSGlueServiceRole-glueworkshop or go to IAM –> Roles and copy the arn for in error message.
- Go to IAM –> Roles –> Role name (e.g. AWSGlueServiceRole-glueworkshop )
- Click on Add permission –> Create inline policy
4. Go to the JSON tab and add below inline policy
Note – Do not forget to replace your <$aws-account-id>
{
“Version”: “2012-10-17”,
“Statement”: [{
“Effect”: “Allow”,
“Action”: [
“iam:GetRole”,
“iam:PassRole”
],
“Resource”: “arn:aws:iam::<$aws-account-id>:role/AWSGlueServiceRole-glueworkshop”
}]
}
5. Click on review policy and provide policy name (e.g. inline-iam-pass-role ) and click on create policy
Learn Sql Team 