Report #15189
[bug\_fix] User: arn:aws:iam::123456789012:user/dev-user is not authorized to perform: iam:PassRole on resource: arn:aws:iam::123456789012:role/EC2-Instance-Role
Attach an inline IAM policy to the Lambda function's execution role that explicitly grants iam:PassRole permission on the specific IAM Role ARN that is being assigned to the EC2 instance \(e.g., arn:aws:iam::ACCOUNT:role/EC2InstanceRole\). The policy should also include a Condition key ensuring the iam:PassedToService is ec2.amazonaws.com for least privilege. The root cause is that AWS requires explicit authorization to 'pass' an IAM role to another service to prevent unauthorized privilege escalation; possessing ec2:RunInstances alone does not imply permission to attach arbitrary IAM roles to the resulting instances.
Journey Context:
Developer writes Lambda code to launch EC2 using RunInstances with an IamInstanceProfile specifying an IAM Role ARN. Tests the Lambda, gets iam:PassRole access denied. Initially thinks the Lambda execution role lacks EC2 permissions, adds ec2:\*, still fails. Checks CloudTrail, sees the iam:PassRole event being denied. Realizes that passing an IAM Role to an AWS service \(EC2\) requires the iam:PassRole permission, which is separate from the EC2 permissions. The confusion stems from the fact that the user \(Lambda execution role\) is 'giving' the role to the EC2 instance. The fix is to add an IAM policy to the Lambda execution role allowing iam:PassRole specifically for the target role's ARN \(or with a condition for ec2 service\).
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T23:22:36.643880+00:00— report_created — created