IAM glossary
AWS IAM glossary

What is iam:PassRole?

iam:PassRole is the IAM permission that lets a principal hand an existing IAM role to an AWS service, so the service can act as that role.

IAM roles cannot be "used" directly the way access keys can — a principal has to explicitly pass a role to a service (EC2, Lambda, Glue, CloudFormation, ECS, and others) for that service to assume it on their behalf. iam:PassRole is the permission that authorizes handing a role over this way. Without it, an identity can see a role exists but cannot attach it to anything.

It is one of the most consequential permissions in IAM because it does not grant the passed role's permissions directly — it grants the ability to make a service run *as* that role. If the role passed is more privileged than the principal itself, the principal has effectively escalated its own reach, which is why nearly every documented IAM privilege-escalation path involving compute services (EC2, Lambda, Glue, CloudFormation, ECS, SageMaker, CodeBuild, DataPipeline) requires PassRole as one of the two ingredients.

Example

{
  "Effect": "Allow",
  "Action": "iam:PassRole",
  "Resource": "arn:aws:iam::123456789012:role/app-execution-role",
  "Condition": {
    "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" }
  }
}

Common mistake

Granting iam:PassRole on Resource "*" for convenience. That lets the principal pass *any* role in the account — including highly privileged ones — to any service they control. Scope Resource to the specific role ARNs required, and add an iam:PassedToService condition so the role can only be handed to the intended service.

Related terms

Analyze a real policy free

Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.