Issues with my iam role when using AWS lambda to trigger an async amazon Comprehend job

Question

I am currently using AWS lambda to trigger an asynch Amazon Comprehend job. The data I am using is stored in an input folder in a S3 bucket, and I am trying to output the file in that same bucket, in an output folder. The roles I have for this job are "ComprehendFullAccess" and "AWSLambdaExecute", and this is the following code.

import boto3

def lambda_handler(event, context):
    s3 = boto3.client("s3")
    bucket = "bucketName"
    key = "input/inputTextFile.txt"
    text = s3.get_object(Bucket = bucket, Key = key)
    review = str(text['Body'].read())
    client = boto3.client('comprehend')
    response = client.start_sentiment_detection_job(
        InputDataConfig={
            'S3Uri': 's3://bucketName/input/inputTextFile.txt',
            'InputFormat': 'ONE_DOC_PER_LINE',
            'DocumentReaderConfig': {
                'DocumentReadAction': 'TEXTRACT_ANALYZE_DOCUMENT',
                'DocumentReadMode': 'SERVICE_DEFAULT',
                'FeatureTypes': [
                    'FORMS'
                ]
            }
        },
        OutputDataConfig={
            'S3Uri': 's3://bucketName/output/'
        },
        DataAccessRoleArn='arn:aws:iam::randomNumbers:role/testrole',
        JobName='nameOfMyJob',
        LanguageCode='en'
    )
    print(response)
    return "response"

It keeps generating this error:

{
  "errorMessage": "An error occurred (AccessDeniedException) when calling the StartSentimentDetectionJob operation: User: arn:aws:sts::randomNumbers:assumed-role/testrole/testfunc is not authorized to perform: iam:PassRole on resource: arn:aws:iam::randomNumbers:role/testrole because no identity-based policy allows the iam:PassRole action",
  "errorType": "ClientError",
  "requestId": "d3a54dbd-a011-42f0-bc74-440ce9cbaa8d",
  "stackTrace": [
    "  File \"/var/task/lambda_function.py\", line 10, in lambda_handler\n    response = client.start_sentiment_detection_job(\n",
    "  File \"/var/runtime/botocore/client.py\", line 391, in _api_call\n    return self._make_api_call(operation_name, kwargs)\n",
    "  File \"/var/runtime/botocore/client.py\", line 719, in _make_api_call\n    raise error_class(parsed_response, operation_name)\n"
  ]
}

I am not sure if there is an error with my code, or if it is a role/permission issue. For the role, this is what I have as my trust entity:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Is this a code or a permission issue? Here is the API I used for the response line: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/comprehend.html#Comprehend.Client.start_sentiment_detection_job Thanks in advance for the help!

Edit: here is my updated user json policy:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "iam:PassRole"
        ],
        "Resource": "arn:aws:iam::randomNumbers:role/testrole"
    }]
}

Answer 1

Simply put, your user arn:aws:sts::randomNumbers:assumed-role/testrole/testfunc needs this policy attached.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "iam:PassRole"
        ],
        "Resource": "arn:aws:iam::randomNumbers:role/testrole"
    }]
}

Refer to this doc for more information as to why iam:PassRole is needed. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html