When I create a role using AWS CLI, I get a properly formatted ARN:
However, when I use cloudformation, I get PhysicalResourceId in the stack resource which does not look like an ARN at all:
How do I get an ARN from this PhysicalResourceId?
The confusing part is that when I create a policy with cloudformation, the PhysicalResourceId is a properly formed ARN:
So what is going on with the role ARN and how can I retrieve it?
In a Cloudformation template, you can define Outputs. These are auto-generated values which you’d like to extract after deployment and use otherwise.
In your Cloudformation template, add a section at the bottom, like the following:
Outputs: # top-level entry! myRoleArn: # just an arbitrary identifier Value: !GetAtt myRole.Arn # assuming that "myRole" is the name of your resource
Then, after deploying your stack, you can use the AWS CLI to extract the value:
aws cloudformation describe-stacks --stack-name $YOUR_STACK \ --query 'Stacks.Outputs[?OutputKey==`myRoleArn`].OutputValue' \ --output text
You can even load this into a shell variable by something like
export MY_ROLE_ARN="$(aws cloudformation describe-stacks …)"
Learn more about Outputs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html
Also note that the Cloudformation docs list all the potential Output values you can get for a certain resource type. For example, the
AWS::IAM::Role outputs are here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html (Look for the “Return values” section.)