Fix PassRole

Author: Veetaha

codegen/src/policies/ElastioAssetAccountDeployer.ts

@@ -49,8 +49,6 @@ export default {
         "iam:UpdateAssumeRolePolicy",
         "iam:UpdateRoleDescription",
 
-        "iam:PassRole",
-
         "iam:PutRolePolicy",
         "iam:DeleteRolePolicy",
 
@@ -97,5 +95,11 @@ export default {
         "arn:*:iam::*:policy/*Elastio*",
       ],
     },
+    {
+      Sid: "ElastioIamPassRole",
+      // PassRole doesn't support tag-based conditions
+      Action: "iam:PassRole",
+      Resource: ["arn:*:iam::*:role/*Elastio*"],
+    },
   ],
 } satisfies iam.Policy;

iam-policies/terraform/policies/ElastioAssetAccountDeployer.json

@@ -40,7 +40,6 @@
           "iam:UpdateRole",
           "iam:UpdateAssumeRolePolicy",
           "iam:UpdateRoleDescription",
-          "iam:PassRole",
           "iam:PutRolePolicy",
           "iam:DeleteRolePolicy",
           "iam:PutRolePermissionsBoundary",
@@ -73,6 +72,12 @@
           "arn:*:iam::*:policy/*Elastio*"
         ],
         "Effect": "Allow"
+      },
+      {
+        "Sid": "ElastioIamPassRole",
+        "Action": "iam:PassRole",
+        "Resource": ["arn:*:iam::*:role/*Elastio*"],
+        "Effect": "Allow"
       }
     ]
   }