AWS allow user to call create-role

Question

When trying to create a role http://docs.aws.amazon.com/vm-import/latest/userguide/import-vm-image.html i run into the following error (AccessDenied) when calling the CreateRole operation: User: arn:aws:iam::806409516843:user/<username> is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::806409516843:role/vmimport.

I have tried reading the docs and doing many google searches on the subject but can't seem to find a way to allow my user to create a role. Please help.

score 9 · Accepted Answer · answered Dec 26 '16 at 00:39

9

If you have root access to your account, you can just write your own policy and attach it to the user (AWS Console => IAM => Users => Add inline policy). Here is an example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1482712489000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

answered Dec 26 '16 at 00:39

Sergey Kovalev

336
1
3

Thanks. Found another solution but this works – Menachem Hornbacher Dec 26 '16 at 00:53
4

@CyberGeek.exe, if you have time, could you post the alternate solution? – Matthew Sep 03 '17 at 15:36
1

I also had to add "iam:AttachRolePolicy" to "Action" field. And I removed "Sid" as I don't know why it is needed and what to put there, but without it skill works perfectly. – rightaway717 May 04 '18 at 08:11

score 0 · Answer 2 · answered Aug 26 '19 at 05:24

0

I went with AttachPolicy (to a group but I suppose you could do it to a single user as well) and attached AdministratorAccess. This may later be revealed to be a poor choice but I figured it would cover me for anything else I need to do.

answered Aug 26 '19 at 05:24

Bowie Owens

123

AWS allow user to call create-role

2 Answers2