AWS 用户无权执行 PassRole

AWS User not authorized to perform PassRole

我正在尝试使用 Windows AWS 客户端在 AWS Glue 中创建一个作业,但我收到消息说我未被授权执行:iam:PassRole 如你所见:

Console>aws glue create-job --name "aws_glue_test" --role "My_Role" --command "Name=glueetlpythonshell,ScriptLocation=s3://mys3bucket/jobs/aws_glue_test.py,PythonVersion=3"


An error occurred (AccessDeniedException) when calling the CreateJob operation: User: arn:aws:iam::1111:user/My_User is not authorized to perform: iam:PassRole on resource: arn:aws:iam::1111:role/My_Role because no identity-based policy allows the iam:PassRole action

AWS 中的配置是使用 Terraform 设置的,如下所示:



resource "aws_s3_bucket" "mys3bucket" {

  bucket = "mys3bucket"

  tags = {
    Name            = "mys3bucket"
    ITOwnerEmail    = "my@email.com"
  }

}

resource "aws_s3_bucket_acl" "mys3bucket_acl" {
  bucket = aws_s3_bucket.mys3bucket.id
  acl    = "private"
}


#=========IAM user======#

resource "aws_iam_user" "My_User" {
  name = "My_User "
  path = "/"
}


resource "aws_iam_user_policy" "My_User-p" {
  name = "My_User-p"
  user = "My_User"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::mys3bucket"
    },
    {
      "Action": "glue:*",
      "Effect": "Allow",
      "Resource": "*"
    },  
#-- THIS IS THE SOLUTION -- # 
    {
      "Action":[
            "iam:GetRole",
            "iam:PassRole"
        ],
      "Effect":"Allow",
      "Resource": "*"
    }
  ]
}
EOF
}


#===========S3-Bucket-policy=======#

resource "aws_s3_bucket_policy" "mys3bucket-p" {

  bucket = aws_s3_bucket.mys3bucket.id

  policy = <<POLICY
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1111:user/My_User"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::mys3bucket/*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1111:user/My_User"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::mys3bucket"
        }
    ]
}
POLICY
}

#===========Glue-policy=======#

resource "aws_iam_role" "My_Role" {
  name               = "My_Role"
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
              "Service": [
                   "ec2.amazonaws.com",
                   "glue.amazonaws.com"
              ]
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
EOF
}

### Attach policy to above Role ###

resource "aws_iam_role_policy_attachment" "My_Role_GlueService_attach" {
  role       = aws_iam_role.My_Role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"
}

#===========IAM-Pass-Role=======#


resource "aws_iam_policy" "My_IAMPass_policy" {
  name        = "My_IAMPass_policy"
  description = "IAM Pass Role Policy"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::1111:role/My_Role"
        }
    ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "My_IAMPass_attach" {
  role       = aws_iam_role.My_Role.name
  policy_arn = aws_iam_policy.My_IAMPass_policy.arn
}

我尝试附加 IAM 通行证角色,但它仍然失败,我不知道为什么。

欢迎任何帮助。提前谢谢你

解决方案: 添加到代码中。

您需要将 iam:PassRole 操作添加到正在用于 create-job 的 IAM 用户的策略中。类似于:

{
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::1111:role/My_Role"
            ],
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "glue.amazonaws.com"
                    ]
                }
            }
        }