Assistance Required – Permission Denied Error During Terraform Apply

Hi Team,

I am working on creating AWS infrastructure for one of my ETL requirements using Terraform. While running the terraform apply command, I am encountering a permission denied error.

Could you please help me resolve this issue? I have attached the Terraform main file for your reference.

Error: creating Glue Job (dev-glue-job): operation error Glue: CreateJob, https response error StatusCode: 400, RequestID: 3d988786-fc59-4e52-b9e6-7f4a131a5a57, api error AccessDeniedException: User: arn:aws:iam::382258128167:user/kk_labs_user_118661 is not authorized to perform: iam:PassRole on resource: arn:aws:iam::382258128167:role/dev-glue-role because no identity-based policy allows the iam:PassRole action

Thanks in advance for your support.

Best regards,
Vidya

I don’t see a terraform file attached :frowning: Also, is this for a lab (if so, please include a link for that) or just something you’re doing on a playground?

Hi @rob_kodekloud , I am using the Playground to work on some use cases. Although I deleted the previous file, we are encountering a similar issue with this scenario. In this case, we have created a Step Function that executes three Lambda functions. When I try to run the Terraform code, I receive the following error:

Error Message:
AccessDeniedException: User ... is not authorized to perform: iam:PassRole on resource .../tf-stepfn-lambda-exec-role

I would appreciate your assistance in resolving this issue.

It has been observed that when I try to assign a new policy to a user to perform the task, we encounter the above error. Similarly, when attempting to create a new user and assign the policy, the same issue occurs. I am unable to attach the file because the new user cannot have files attached.

Regards
Vidya

If you’re creating an IAM object, try naming it starting with iamuser-; this may work better with our playground code. You won’t be able to assign it any more rights than the playground initially grants you, but it may work for certain set ups.

Hi @rob_kodekloud , I am not creating any new user, we are trying to set IAM role for Lambda and step function where we are facing issues. Please check the below terraform code for your reference. Let me know if you need any further information.

Sample Code:-

-----------------------

IAM Role for Lambda

-----------------------

resource “aws_iam_role” “lambda_exec” {
name = “tf-stepfn-lambda-exec-role”
assume_role_policy = jsonencode({
Version = “2012-10-17”
Statement = [
{
Action = “sts:AssumeRole”
Effect = “Allow”
Principal = {
Service = “lambda.amazonaws.com
}
}
]
})
}
resource “aws_iam_role_policy_attachment” “stepfn_lambda_attach” {
role = aws_iam_role.stepfunctions_role.name
policy_arn = “arn:aws:iam::aws:policy/AWSStepFunctionsFullAccess”
}

-----------------------

IAM Role for Step Functions

-----------------------

resource “aws_iam_role” “stepfunctions_role” {
name = “tf-stepfn-exec-role”
assume_role_policy = jsonencode({
Version = “2012-10-17”
Statement = [
{
Action = “sts:AssumeRole”
Effect = “Allow”
Principal = {
Service = “states.amazonaws.com
}
}
]
})
}
resource “aws_iam_role_policy” “stepfn_invoke_lambdas” {
name = “tf-stepfn-invoke-lambdas”
role = aws_iam_role.stepfunctions_role.id
policy = jsonencode({
Version = “2012-10-17”
Statement = [
{
Effect = “Allow”,
Action = [
“lambda:InvokeFunction”
],
Resource = [“*”]
}
]
})
}

Regards
Vidya

Hi @rob_kodekloud , Observed that when one AWS service (e.g., Lambda) requires access to another service (e.g., S3/DynamoDB), a role or policy must be attached. In the AWS Playground, this attachment is currently restricted. Requesting guidance on how to configure or enable this.

Please provide the steps to do that.

Regards
Vidya

Only roles with specific names are granted iam:PassRole permission. That is, you cannot make up your own role names. Don’t ask me why, but that’s the way it is.
Names that should work

  • lambda_execution_role
  • CodeDeployRole
  • EC2InstanceRole
  • CodePipelineServiceRole
  • eksClusterRole
  • EC2LabRole

Hi @Alistair_KodeKloud /@rob_kodekloud , In AWS play groud I can below only below role the the user.

AWSServiceRoleForAccessAnalyzer
AWSServiceRoleForCloudTrail
AWSServiceRoleForElasticLoadBalancing
AWSServiceRoleForOrganizations
AWSServiceRoleForRDS
AWSServiceRoleForResourceExplorer
AWSServiceRoleForSSO
AWSServiceRoleForSupport
AWSServiceRoleForTrustedAdvisor
OrganizationAccountAccessRole

I am not finding above mentioned role at all.

Regards
Vidya

You won’t find them. You should be able to create roles with those names and then assign them to services

Hi @Alistair_KodeKloud/@rob_kodekloud , Thank you very much. I believe I’ve understood the process, and it appears to be working now.

Regards
Vidya