When I create a role using AWS CLI, I get a properly formatted ARN:

  arn:aws:iam::836101485904:role/sigmund-freud

However, when I use cloudformation, I get PhysicalResourceId in the stack resource which does not look like an ARN at all:

  stack-example9-SigmundFreud-1SXXK5AE0GRA3

How do I get an ARN from this PhysicalResourceId?

The confusing part is that when I create a policy with cloudformation, the PhysicalResourceId is a properly formed ARN:

"PhysicalResourceId": "arn:aws:iam::836101485904:policy/bucket-simple1-FirstPolicy-1DMVF6Q0R9G95"

So what is going on with the role ARN and how can I retrieve it?

CodePudding user response：

In a Cloudformation template, you can define Outputs. These are auto-generated values which you’d like to extract after deployment and use otherwise.

In your Cloudformation template, add a section at the bottom, like the following:

Outputs: # top-level entry!
    myRoleArn: # just an arbitrary identifier
        Value: !GetAtt myRole.Arn # assuming that "myRole" is the name of your resource

Then, after deploying your stack, you can use the AWS CLI to extract the value:

aws cloudformation describe-stacks --stack-name $YOUR_STACK \
    --query 'Stacks[0].Outputs[?OutputKey==`myRoleArn`].OutputValue' \
    --output text

You can even load this into a shell variable by something like

export MY_ROLE_ARN="$(aws cloudformation describe-stacks …)"

Learn more about Outputs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html

Also note that the Cloudformation docs list all the potential Output values you can get for a certain resource type. For example, the AWS::IAM::Role outputs are here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html (Look for the “Return values” section.)