Pass role permissions - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Pass role permissions

Part of a rule definition is an IAM role that grants permission to access resources specified in the rule's action. The rules engine assumes that role when the rule's action is invoked. The role must be defined in the same Amazon Web Services account as the rule.

When creating or replacing a rule you are, in effect, passing a role to the rules engine. The iam:PassRole permission is required to perform this operation. To verify that you have this permission, create a policy that grants the iam:PassRole permission and attach it to your IAM user. The following policy shows how to allow iam:PassRole permission for a role.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::123456789012:role/myRole" ] } ] }

In this policy example, the iam:PassRole permission is granted for the role myRole. The role is specified using the role's ARN. Attach this policy to your IAM user or role that your user belongs to. For more information, see Working with Managed Policies.


Lambda functions use resource-based policy, where the policy is attached directly to the Lambda function itself. When you create a rule that invokes a Lambda function, you don't pass a role, so the user creating the rule doesn't need the iam:PassRole permission. For more information about Lambda function authorization, see Granting Permissions Using a Resource Policy.