I'm trying to create a Batch setup in Cloudformation. I have in Resources an IAM Role:
SecretsAndS3AccessRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: batch.amazonaws.com
Action: 'sts:AssumeRole'
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: 'sts:AssumeRole'
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/SecretsManagerReadWrite'
- 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
- 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
Then in my JobDefinition I have:
JobDefinition:
Type: 'AWS::Batch::JobDefinition'
Properties:
Type: container
ContainerProperties:
Image: public.ecr.aws/l0v4l2q2/rapidtide-cloud
Vcpus: 2
Memory: 2000
Command:
- /simple-test
Privileged: true
JobRoleArn: !Ref SecretsAndS3AccessRole
ExecutionRoleArn: !Ref SecretsAndS3AccessRole
Secrets:
- Name: MY_SECRET
ValueFrom: arn:aws:secretsmanager:us-east-1:123456789:secret:MYSECRET-zSQVSQ
RetryStrategy:
Attempts: 1
When I try to build the stack, I get:
An error occurred (ClientException) when calling the RegisterJobDefinition operation: Error executing request, Exception : executionRoleArn bothrefs-SecretsAndS3AccessRole-1INAOWFBH2SK2 is not an iam role arn
If I remove the ExecutionRoleArn line and the Secrets, the stack builds fine, which is to say that JobRoleArn is happy with a value of !Ref SecretsAndS3AccessRole. (But I need the secrets, and to use secrets you need an execution role.) And if I hardcode the ARN there, it works fine.
What is different about ExecutionRoleArn that it doesn't allow a !Ref? According to the documentation for JobDefinition/ContainerProperties, JobRoleArn and ExecutionRoleArn seem the same sort of object.
CodePudding user response:
!Ref returns the logical ID of the resource, not the ARN.
You need to use !GetAtt.
This should work:
ExecutionRoleArn: !GetAtt SecretsAndS3AccessRole.Arn