AWS用户未被授权执行PassRole操作。

我正在尝试使用Windows AWS客户端在AWS Glue中创建作业，但是我收到了“未被授权”执行“iam:PassRole”的消息，如下所示：

Console>aws glue create-job --name "aws_glue_test" --role "My_Role" --command "Name=glueetlpythonshell,ScriptLocation=s3://mys3bucket/jobs/aws_glue_test.py,PythonVersion=3"


An error occurred (AccessDeniedException) when calling the CreateJob operation: User: arn:aws:iam::1111:user/My_User is not authorized to perform: iam:PassRole on resource: arn:aws:iam::1111:role/My_Role because no identity-based policy allows the iam:PassRole action

在AWS中进行的配置是通过使用Terraform完成的，类似于这样：

resource "aws_s3_bucket" "mys3bucket" {

  bucket = "mys3bucket"

  tags = {
    Name            = "mys3bucket"
    ITOwnerEmail    = "my@email.com"
  }

}

resource "aws_s3_bucket_acl" "mys3bucket_acl" {
  bucket = aws_s3_bucket.mys3bucket.id
  acl    = "private"
}


#=========IAM user======#

resource "aws_iam_user" "My_User" {
  name = "My_User "
  path = "/"
}


resource "aws_iam_user_policy" "My_User-p" {
  name = "My_User-p"
  user = "My_User"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::mys3bucket"
    },
    {
      "Action": "glue:*",
      "Effect": "Allow",
      "Resource": "*"
    },  
#-- THIS IS THE SOLUTION -- # 
    {
      "Action":[
            "iam:GetRole",
            "iam:PassRole"
        ],
      "Effect":"Allow",
      "Resource": "*"
    }
  ]
}
EOF
}


#===========S3-Bucket-policy=======#

resource "aws_s3_bucket_policy" "mys3bucket-p" {

  bucket = aws_s3_bucket.mys3bucket.id

  policy = <<POLICY
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1111:user/My_User"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::mys3bucket/*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1111:user/My_User"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::mys3bucket"
        }
    ]
}
POLICY
}

#===========Glue-policy=======#

resource "aws_iam_role" "My_Role" {
  name               = "My_Role"
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
              "Service": [
                   "ec2.amazonaws.com",
                   "glue.amazonaws.com"
              ]
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
EOF
}

### Attach policy to above Role ###

resource "aws_iam_role_policy_attachment" "My_Role_GlueService_attach" {
  role       = aws_iam_role.My_Role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"
}

#===========IAM-Pass-Role=======#


resource "aws_iam_policy" "My_IAMPass_policy" {
  name        = "My_IAMPass_policy"
  description = "IAM Pass Role Policy"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::1111:role/My_Role"
        }
    ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "My_IAMPass_attach" {
  role       = aws_iam_role.My_Role.name
  policy_arn = aws_iam_policy.My_IAMPass_policy.arn
}

我尝试附加 IAM Pass Role，但它仍然失败了，我不知道原因。

欢迎任何帮助。提前感谢您。

解决方案：在代码中添加。