AWS Automation Documents
Automate AWS AMIs
Obsequious and Servile
The second role I’ll call InstanceRole (as it’s also referenced across a number of AWS docs). To help you remember which role does what, I’ll refer to it as the servant .
As intimated earlier when I explained the PassRole IAM functionality that AWS provides, I also need to attach an IAM role to the EC2 Instances when I run, stop, and terminate them. This role will pass through, if you like,and get access to the main AutomationRole permissions. AWS System and Organization Controls (SOCs) state:
PassRole is not an API action in the same way that RunInstances or ListInstanceProfiles is. Instead, it’s a permission that AWS checks whenever a role ARN [Amazon Resource Name] is passed as a parameter to an API (or the console does this on the user’s behalf). It helps an administrator to control which roles can be passed by which users. In this case, it ensures that the user is allowed to attach a specific role to an Amazon EC2 instance. (AWS Docs)
In the case of InstanceRole , I’ll begin by configuring the Trust relationship , which is nice and easy because it requires the same configuration as AutomationRole . Simply run through the same steps and use the JSON as seen in Figure 4.
Managed Policy
I also need a managed policy for the unctuous InstanceRole role. This time, however, the servant isn’t going to be given nearly as much standing in the IAM community. You should be able to follow the steps above for attaching an AWS managed policy, but this time, the name of the policy is AmazonEC2RoleforSSM . Figure 6 shows how you can look inside managed policies and learn more about IAM settings.
Inline Policy
Thankfully the last step isn’t too arduous, either: creating a final inline policy for InstanceRole. Remember, however, that this role needs the slave-like PassRole capability so InstanceRole can speak to AutomationRole correctly and temporarily inherit some of its permissions. Therefore, I replace the X characters shown in Listing 1 with the account number in the ARN field. Replace this role name with the AutomationRole ARN.
Listing 1: The AutomationRole ARN in the InstanceRole Inline Policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::XXXXXXXXX:role/AutomationRole" } ] }
In Figure 7, you can see where to find the role ARN. The image is redacted to protect the innocent (well, my Amazon account number). The redacted black box is where the AWS account number and role ID are, which are needed to replace the Xs in Listing 1.