Creating the PassRole IAM Policy

AWS Identity & Access Management (IAM) manages credentials for the Cluster Manager and its nodes by assigning IAM roles to them when they are launched. Attaching policies to these roles grant the associated instances permissions such as starting, stopping, and terminating instances in EC2, associating IAM roles with a new instance, or updating records in the Route 53 service.

A PassRole permission allows an application to associates the specified IAM roles with an EC2 instance. The PassRole IAM Policy described in the following instructions allows the Cluster Manager and its nodes to assign the atc-node role to new instances.

Tip: The atc-node role is described later in a later topic. For more information, see Creating the IAM Role for the Transfer Nodes.

From the AWS console, go to Security & Identity > Identity & Access Management and select Policies from the Details sidebar.
Click Create Policy. Select the Create Your Own Policy option.
Name the new policy atc-pass-node-role-policy.

Enter the following policy into the Policy Document field.

{
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow",
            "Action": "iam:PassRole", 
            "Resource": "arn:aws:iam::your_aws_account_id:role/atc-node"
        }
    ] 
}

For example, if your AWS account ID is 123456789012, the Resource object would be the following:

"Resource": "arn:aws:iam:123456789012:role/atc-node"

Click Validate Policy to check for formatting issues. The policy must be well-formed JSON text.
Click Create Policy.