PhysicalResourceId vs ARN


When I create a role using AWS CLI, I get a properly formatted ARN:


However, when I use cloudformation, I get PhysicalResourceId in the stack resource which does not look like an ARN at all:


How do I get an ARN from this PhysicalResourceId?

The confusing part is that when I create a policy with cloudformation, the PhysicalResourceId is a properly formed ARN:

"PhysicalResourceId": "arn:aws:iam::836101485904:policy/bucket-simple1-FirstPolicy-1DMVF6Q0R9G95"

So what is going on with the role ARN and how can I retrieve it?

>Solution :

In a Cloudformation template, you can define Outputs. These are auto-generated values which you’d like to extract after deployment and use otherwise.

In your Cloudformation template, add a section at the bottom, like the following:

Outputs: # top-level entry!
    myRoleArn: # just an arbitrary identifier
        Value: !GetAtt myRole.Arn # assuming that "myRole" is the name of your resource

Then, after deploying your stack, you can use the AWS CLI to extract the value:

aws cloudformation describe-stacks --stack-name $YOUR_STACK \
    --query 'Stacks[0].Outputs[?OutputKey==`myRoleArn`].OutputValue' \
    --output text

You can even load this into a shell variable by something like

export MY_ROLE_ARN="$(aws cloudformation describe-stacks …)"

Learn more about Outputs:

Also note that the Cloudformation docs list all the potential Output values you can get for a certain resource type. For example, the AWS::IAM::Role outputs are here: (Look for the “Return values” section.)

Leave a Reply Cancel reply