{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789012:role/*"
}
}
To launch an instance with a role, the developer must have permission to launch EC2 instances and permission to pass IAM roles. This is needed even with the PowerUserAccess
profile.
Caution: use of the "*"
wildcard for Resource
allows the use of any role.
Allow seeing already defined roles: ListInstanceProfiles
Allow an EC2 instance to use a selected role: PassRole
###Method Add this as an "Inline Policy":
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1465081889000",
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"iam:PassRole"
],
"Resource": [
"*"
]
}
]
}
[Permissions Required for Using Roles with Amazon EC2] (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html#roles-usingrole-ec2instance-permissions)
[Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission)] (https://blogs.aws.amazon.com/security/post/Tx3M0IFB5XBOCQX/Granting-Permission-to-Launch-EC2-Instances-with-IAM-Roles-PassRole-Permission)
[Troubleshooting Amazon EC2 and IAM] (http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_iam-ec2.html)