Share

What is the iam:PassRole permission in AWS IAM

Author's image
Tamás Sallai
1 min
Photo by Aaron Burden on Unsplash

PassRole is a special action that is checked in addition to some other action. For example, when you create a Lambda function the PassRole is also checked.

It is listed in the reference table:

CreateFunction Dependent actions: iam:PassRole

What this means is when calling the CreateFunction API, AWS checks two permissions: the lambda:CreateFunction to make sure that the caller has permission to create Lambda functions, and also the iam:PassRole with the Role specified in the request.

Why is this needed?

This mechanism makes sure that users can only configure certain roles and not gain more permissions accidentally.

Imagine a role has access to the production database. Without the PassRole check any user who can create Lambda functions could simply upload some code, configure the production role for it, and effectively gain access to the protected resource.

PassRole prevents this: the user has no PassRole permission for that role (where the role is the resource in the policy) so it can not configure a Lambda function with it.

But because of this, PassRole is also a powerful permission: as a rule of thumb, if an identity can pass a role then its permissions are added to the identity's effective set of permission.

February 20, 2025
Author's image
Tamás Sallai

I came to believe that great software craftsmanship starts with understanding the underlying technologies better. You can't rely on "easy solutions" and "quick fixes" when you want dependable systems. I write about technology to deepen my knowledge and also to help others solve problems.

I'm the author of several books and courses.

Author's image

Hi, I'm Tamás,

I write articles about AWS, Javascript, security, and web technologies.

I'm the author of several books and courses.

Free PDF guide

Sign up to our newsletter and download the "How Cognito User Pools work" guide.