Is there a way to create aws lambda execution role with cloudformation?

Question

I'm trying to create a lambda fuction with cloudformation but it requires a lambda execution role - is there a way I can generate one using cloudformation?

Answer 1

Yes, CloudFormation can be used to create an IAM role. The lambda execution role is an IAM role like any other IAM role. The documentation for doing so shows this example:

MyRole:
  Type: AWS::IAM::Role
  Properties: 
    AssumeRolePolicyDocument: Json
    Description: String
    ManagedPolicyArns: 
      - String
    MaxSessionDuration: Integer
    Path: String
    PermissionsBoundary: String
    Policies: 
      - Policy
    RoleName: String
    Tags: 
      - Tag

Then in the lambda, you reference it using a ref to the name of the role resource. Ex:

  MyLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      Role: !Ref MyRole
  

Answer 2

You can create an IAM role with a role policy where it will take region and account id from predefined AWS FloudFormation variables and assign it to lambda elements in cloud formation. please refer following example

"Resources": {
    "AheadLambdaRole": {
        "Type": "AWS::IAM::Role",
        "Properties": {
            "RoleName": {
                "Fn::Sub": "AHEADLambdaRole-${EnvName}"
            },
            "AssumeRolePolicyDocument": {
                "Statement": [
                    {
                        "Action": [
                            "sts:AssumeRole"
                        ],
                        "Effect": "Allow",
                        "Principal": {
                            "Service": [
                                "lambda.amazonaws.com"
                            ]
                        }
                    }
                ],
                "Version": "2012-10-17"
            },
            "Policies": [{
                    "PolicyDocument" : {
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                "Effect": "Allow",
                                "Action": "logs:CreateLogGroup",
                                "Resource": {
                                    "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*"
                                }
                            },
                            {
                                "Effect": "Allow",
                                "Action": [
                                    "logs:CreateLogStream",
                                    "logs:PutLogEvents"
                                ],
                                "Resource": [
                                    { "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/LambdaName:*"}
                                ]
                            }
                        ]
                    },
                    "PolicyName" : "NameOfInlinepolicy"
                  }] 
         "ManagedPolicyArns": [
                "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess",
                "arn:aws:iam::aws:policy/AmazonSSMFullAccess"
            ],
            "Path": "/"
        }
    }}