Hello! I’m working on a project where I need to set the Elastic Search Snapshot repository. I’m currently trying to set this through a lambda so that I can create snapshots as needed. I’ve got a full stack deploying properly with serverless currently but I’m having problems with the IAM roles and permissions.
I’ve been following this guide for the AWS specific portion
In my serverless.yml, I have the role defined with the trust relationship:
ESSnapshotConfiguratorRole:
Type: AWS::IAM::Role
Properties:
RoleName: 'project-name-${self:provider.stage}-es-snapshot-configurator-role'
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- elastic search url
- lambda url
Action: sts:AssumeRole
And I’ve connected it to my lambda:
createEsSnapshotRepo:
handler: src/index.handler
role: ESSnapshotConfiguratorRole
events:
- http:
path: api/cases/create-repo
method: POST
The problem is when I run this lambda, I’m getting a response that to me implies there is a problem with the IAM policies and the way they are set up.
response: {Message: User: arn:aws:sts::account-id:assumed-role/project-name-es-snapshot-configurator-role/project-name-createEsSnapshotRepo is not authorized to perform: iam:PassRole on resource: arn:aws:iam::281824550030:role/es-snapshot-configurator-role}
I’ve tried creating another role and having that role have an iam:PassRole for the snapshot-configurator-role, but that just results in the failure complaining about not being able to PassRole with the new role name instead.
Kind of at a loss so any help or guidance would be greatly appreciated!