When I create a role using AWS CLI, I get a properly formatted ARN:
arn:aws:iam::836101485904:role/sigmund-freud
However, when I use cloudformation, I get PhysicalResourceId in the stack resource which does not look like an ARN at all:
stack-example9-SigmundFreud-1SXXK5AE0GRA3
How do I get an ARN from this PhysicalResourceId?
The confusing part is that when I create a policy with cloudformation, the PhysicalResourceId is a properly formed ARN:
"PhysicalResourceId": "arn:aws:iam::836101485904:policy/bucket-simple1-FirstPolicy-1DMVF6Q0R9G95"
So what is going on with the role ARN and how can I retrieve it?
>Solution :
In a Cloudformation template, you can define Outputs. These are auto-generated values which you’d like to extract after deployment and use otherwise.
In your Cloudformation template, add a section at the bottom, like the following:
Outputs: # top-level entry!
myRoleArn: # just an arbitrary identifier
Value: !GetAtt myRole.Arn # assuming that "myRole" is the name of your resource
Then, after deploying your stack, you can use the AWS CLI to extract the value:
aws cloudformation describe-stacks --stack-name $YOUR_STACK \
--query 'Stacks[0].Outputs[?OutputKey==`myRoleArn`].OutputValue' \
--output text
You can even load this into a shell variable by something like
export MY_ROLE_ARN="$(aws cloudformation describe-stacks …)"
Learn more about Outputs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html
Also note that the Cloudformation docs list all the potential Output values you can get for a certain resource type. For example, the AWS::IAM::Role outputs are here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html (Look for the “Return values” section.)