So if I were to create a federated developer role for developers (duh) and push it to AWS in the form of a cf template, the role's name is simply what I named it. But for some reason, if the role is designed for AWS services/resources to assume (say, a Lambda role for EC2 instances), the role has a seemingly random string of 12 characters appended to it.
Ex: iam-lam-role-85C94J38RDE2
Why does CloudFormation append this automatically?
Refer to the Name Type section of the CloudFormation documentation:
By default, AWS CloudFormation generates a unique physical ID to name a resource. For example, AWS CloudFormation might name an Amazon S3 bucket with the following physical ID
stack123123123123-s3bucket-abcdefghijk1. [...]If you want to use a custom name, specify a name property for that resource in your AWS CloudFormation template.
For AWS::IAM::Role (which is one of the resources that supports custom names), specify the RoleName property to provide a custom name.
Your question suggests that the default physical ID actually changes based on the contents of the AssumeRolePolicyDocument property within the AWS::IAM::Role resource. I haven't observed any such behavior in practice, so I think it's likely you specified a RoleName for one resource and not the other.
CloudFormation appends random characters to the physical ID so there won't be name collisions between 2 IAM roles. In a given AWS account, there cannot be 2 IAM roles with the same name.
If you were to create 2 CloudFormation stacks that each contain an IAM role with the same logical ID (e.g. MyRole), there would be name collisions for the IAM roles created. That's why CloudFormation generates a random name for your IAM roles (e.g. MyRole-85C94J38RDE2 and MyRole-78DM29SKFJD8).
If you want to assign a fixed name for your IAM roles, you can use the RoleName property.
