I need to call PutSubscriptionFilter for a Firehose data stream. I created my role that trusts the logs.amazonaws.com service and allows it to put records. There is a permission boundary on my user that has a condition on iam:PassedToService to restrict iam:PassRole to a few AWS services but logs.amazonaws.com is included.
When I call PutSubscriptionFilter I get
User: my-user is not authorized to perform: iam:PassRole on resource: my-role-arn because no permissions boundary allows the iam:PassRole action.
I add every possible service as {service}.amazonaws.com and {service}.{region}.amazonaws.com but the results are always the same.
I looked at the error in CloudTrail. I read every bit of documentation. I asked to Q. I can only put the subscription filter if I completely remove the condition on iam:PassedToService from the permission boundary policy.
Must I add a different service? or logs is just not supported by iam:PassedToService/logs:PutSubscriptionFilter?