Assistance Required – Permission Denied Error During Terraform Apply

vidya4java · October 4, 2025, 5:09pm

Hi Team,

I am working on creating AWS infrastructure for one of my ETL requirements using Terraform. While running the terraform apply command, I am encountering a permission denied error.

Could you please help me resolve this issue? I have attached the Terraform main file for your reference.

Error: creating Glue Job (dev-glue-job): operation error Glue: CreateJob, https response error StatusCode: 400, RequestID: 3d988786-fc59-4e52-b9e6-7f4a131a5a57, api error AccessDeniedException: User: arn:aws:iam::382258128167:user/kk_labs_user_118661 is not authorized to perform: iam:PassRole on resource: arn:aws:iam::382258128167:role/dev-glue-role because no identity-based policy allows the iam:PassRole action

Thanks in advance for your support.

Best regards,
Vidya

rob_kodekloud · October 4, 2025, 6:36pm

I don’t see a terraform file attached Also, is this for a lab (if so, please include a link for that) or just something you’re doing on a playground?

vidya4java · October 4, 2025, 8:20pm

Hi @rob_kodekloud , I am using the Playground to work on some use cases. Although I deleted the previous file, we are encountering a similar issue with this scenario. In this case, we have created a Step Function that executes three Lambda functions. When I try to run the Terraform code, I receive the following error:

Error Message:
AccessDeniedException: User ... is not authorized to perform: iam:PassRole on resource .../tf-stepfn-lambda-exec-role

I would appreciate your assistance in resolving this issue.

It has been observed that when I try to assign a new policy to a user to perform the task, we encounter the above error. Similarly, when attempting to create a new user and assign the policy, the same issue occurs. I am unable to attach the file because the new user cannot have files attached.

Regards
Vidya

rob_kodekloud · October 4, 2025, 8:23pm

If you’re creating an IAM object, try naming it starting with iamuser-; this may work better with our playground code. You won’t be able to assign it any more rights than the playground initially grants you, but it may work for certain set ups.

vidya4java · October 5, 2025, 9:06am

Hi @rob_kodekloud , I am not creating any new user, we are trying to set IAM role for Lambda and step function where we are facing issues. Please check the below terraform code for your reference. Let me know if you need any further information.

Sample Code:-

-----------------------

IAM Role for Lambda

-----------------------

resource “aws_iam_role” “lambda_exec” {
name = “tf-stepfn-lambda-exec-role”
assume_role_policy = jsonencode({
Version = “2012-10-17”
Statement = [
{
Action = “sts:AssumeRole”
Effect = “Allow”
Principal = {
Service = “lambda.amazonaws.com”
}
}
]
})
}
resource “aws_iam_role_policy_attachment” “stepfn_lambda_attach” {
role = aws_iam_role.stepfunctions_role.name
policy_arn = “arn:aws:iam::aws:policy/AWSStepFunctionsFullAccess”
}

-----------------------

IAM Role for Step Functions

-----------------------

resource “aws_iam_role” “stepfunctions_role” {
name = “tf-stepfn-exec-role”
assume_role_policy = jsonencode({
Version = “2012-10-17”
Statement = [
{
Action = “sts:AssumeRole”
Effect = “Allow”
Principal = {
Service = “states.amazonaws.com”
}
}
]
})
}
resource “aws_iam_role_policy” “stepfn_invoke_lambdas” {
name = “tf-stepfn-invoke-lambdas”
role = aws_iam_role.stepfunctions_role.id
policy = jsonencode({
Version = “2012-10-17”
Statement = [
{
Effect = “Allow”,
Action = [
“lambda:InvokeFunction”
],
Resource = [“*”]
}
]
})
}

Regards
Vidya

vidya4java · October 5, 2025, 3:36pm

Hi @rob_kodekloud , Observed that when one AWS service (e.g., Lambda) requires access to another service (e.g., S3/DynamoDB), a role or policy must be attached. In the AWS Playground, this attachment is currently restricted. Requesting guidance on how to configure or enable this.

Please provide the steps to do that.

Regards
Vidya

Alistair_KodeKloud · October 5, 2025, 8:01pm

Only roles with specific names are granted iam:PassRole permission. That is, you cannot make up your own role names. Don’t ask me why, but that’s the way it is.
Names that should work

lambda_execution_role
CodeDeployRole
EC2InstanceRole
CodePipelineServiceRole
eksClusterRole
EC2LabRole

vidya4java · October 6, 2025, 3:33pm

Hi @Alistair_KodeKloud /@rob_kodekloud , In AWS play groud I can below only below role the the user.

AWSServiceRoleForAccessAnalyzer
AWSServiceRoleForCloudTrail
AWSServiceRoleForElasticLoadBalancing
AWSServiceRoleForOrganizations
AWSServiceRoleForRDS
AWSServiceRoleForResourceExplorer
AWSServiceRoleForSSO
AWSServiceRoleForSupport
AWSServiceRoleForTrustedAdvisor
OrganizationAccountAccessRole

I am not finding above mentioned role at all.

Regards
Vidya

Alistair_KodeKloud · October 6, 2025, 7:54pm

You won’t find them. You should be able to create roles with those names and then assign them to services

vidya4java · October 7, 2025, 3:59am

Hi @Alistair_KodeKloud/@rob_kodekloud , Thank you very much. I believe I’ve understood the process, and it appears to be working now.

Regards
Vidya