I’m using this policy when deploying serverless applications with CloudFormation. My template includes Lambda functions that need specific execution roles. Can someone explain what this IAM policy statement actually allows me to do? I understand it’s related to passing roles to services, but I want to make sure I grasp the exact mechanism and purpose of this permission.
The iam:PassRole permission is a security feature in AWS that prevents privilege escalation. When you deploy a Lambda function via CloudFormation, it needs an execution role attached to function. Without the iam:PassRole permission, AWS will block attempts to assign this role, which could allow unauthorized permission escalation. In your policy, you permit CloudFormation to assign roles that match “my-lambda-role*” specifically to the Lambda service only. The condition ensures roles cannot be incorrectly assigned to other services, enhancing security in serverless deployments. It can be confusing, but you effectively need permission to pass a role, even if you created it, as a safeguard against misusing permissions.
Think of iam:PassRole as AWS making you explicitly say “yes, I’m okay with handing this role to another service.” Your policy basically says “I can give roles starting with ‘my-lambda-role’ to Lambda functions, but only Lambda - nothing else.” This stops someone from accidentally (or intentionally) giving a powerful role to the wrong service. Without this permission, CloudFormation can’t create your Lambda functions because it doesn’t have permission to assign the execution role. The iam:PassedToService condition is extra protection - it makes sure these roles only go to Lambda, not EC2 or other services that could abuse those permissions.
iam:PassRole is like a gatekeeper that stops you from handing out roles you shouldn’t. When CloudFormation creates your Lambda, it has to “pass” the execution role to the Lambda service. Without this permission, your deployment crashes since AWS thinks you’re trying to escalate privileges. The condition you set makes sure only Lambda can receive those roles - not some random service that might abuse them.