'Cloudformation creating a Lamba with it's associated Role
Cloudformation is bringing me mad... I've the following cloudformation script
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Lambda Function + IAM role Resources",
"Resources": {
"NFTCalculateCIDLambdaRole": {
"Type" : "AWS::IAM::Role",
"DeletionPolicy": "Retain",
"Properties" : {
"AssumeRolePolicyDocument" :{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description" : "Role for execute CalculateCID lambda function",
"ManagedPolicyArns" : [ "arn:aws:iam::670818552530:policy/PutLogsEventPolicy", "arn:aws:iam::aws:policy/AmazonS3FullAccess" ],
"RoleName" : "NFT-CalculateCIDLambdaRoleTEST"
}
},
"InterpolazioneRole": {
"Fn::Join": [
"", [
"arn:aws:iam::",
{
"Ref": "AWS::Account"
},
":role/",
{
"Fn::GetAtt": ["CalculateCIDLambdaRole", "RoleName"]
}
]
]
},
"CalculateCID":{
"Type" : "AWS::Lambda::Function",
"DeletionPolicy": "Retain",
"Properties" : {
"Code": {
"S3Bucket": "deploy-stack",
"S3Key": "CalculateCID-3496f166-0f1d-40b4-8766-c5d29e4950ff.zip"
},
"Description" : "Calculates the CID for a given filename",
"Environment" : {
"Variables": {
"DELETE_S3_FILE_AFTER_PROCESSING": "true",
"TMP_DOWNLOAD_BUCKET": "content-temporary-files"
}
},
"FunctionName" : "CalculateCID",
"PackageType" : "Zip",
"Role" : "Fn::Join",
"Runtime" : "Node.js 12.x"
}
}
}
}
but when I execute it I got
An error occurred (ValidationError) when calling the CreateStackSet operation: Invalid template resource property 'Fn::Join' (Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError; Request ID: 106e6351-a4b9-41a4-9d8d-fe2ff6902e87; Proxy: null)
The problem is I don't know how to pass the arn geneated at previous step.. anyone can help me?
amazon-cloudformationSolution 1:[1]
For Lambda Functions, Role has to be mentioned with its Arn. You can use return values from this document for the IAM Resource. You are trying to create a resource using Join Function which you cannot. Refer the arn of the IAM Role directly from the Lambda.
Update your Cloudformation Role property with Fn::GetAtt and remove the unused resource.
"Role" : {"Fn::GetAtt" : ["NFTCalculateCIDLambdaRole", "Arn"] }
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Lambda Function + IAM role Resources",
"Resources": {
"NFTCalculateCIDLambdaRole": {
"Type" : "AWS::IAM::Role",
"DeletionPolicy": "Retain",
"Properties" : {
"AssumeRolePolicyDocument" :{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description" : "Role for execute CalculateCID lambda function",
"ManagedPolicyArns" : [ "arn:aws:iam::670818552530:policy/PutLogsEventPolicy", "arn:aws:iam::aws:policy/AmazonS3FullAccess" ],
"RoleName" : "NFT-CalculateCIDLambdaRoleTEST"
}
},
"CalculateCID":{
"Type" : "AWS::Lambda::Function",
"DeletionPolicy": "Retain",
"Properties" : {
"Code": {
"S3Bucket": "deploy-stack",
"S3Key": "CalculateCID-3496f166-0f1d-40b4-8766-c5d29e4950ff.zip"
},
"Description" : "Calculates the CID for a given filename",
"Environment" : {
"Variables": {
"DELETE_S3_FILE_AFTER_PROCESSING": "true",
"TMP_DOWNLOAD_BUCKET": "content-temporary-files"
}
},
"FunctionName" : "CalculateCID",
"PackageType" : "Zip",
"Role" : {"Fn::GetAtt" : ["NFTCalculateCIDLambdaRole", "Arn"] },
"Runtime" : "Node.js 12.x"
}
}
}
}
Solution 2:[2]
you are getting error because you are trying to create InterpolazioneRole as join resource rather than a role resource. Join is function not a resource object .
So create InterpolazioneRole as role type and then in rolename refer your join.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 | Manmohan Mittal |