How do I reference a role defined in a SAM template?

1
votes

I'm new to AWS SAM templates and want to be able to create a role with a selection of policies and then reference that role for a Lambda function. However, I get the following error when I try to deploy:

Value 'MyRole' at 'role' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@-_/]+

This answer mentions that I can add the policies direct to the function but I'll have lots of functions that need the same policies so that's not a very DRY approach IAM role inside SAM template

Is the problem that I can't use !GetAtt on a newly created role?

This is what my template.yml looks like:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  OMW Backend Services

Globals:
  Function:
    Timeout: 3

Resources:

  MyRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonRDSFullAccess'
        - 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - 'lambda.amazonaws.com'
            Action:
              - 'sts:AssumeRole'
      Policies:       
          PolicyName: 'ParameterStoreDevParameterAccess'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              -
                Effect: Allow
                Action:
                  - 'ssm:GetParameter*'
                Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/*'
        -
          PolicyName: 'ParameterStoreDevLambdaBasicExecution'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              -
                Effect: Allow
                Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: '*'
        -
          PolicyName: 'ParameterStoreDevXRayAccess'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              -
                Effect: Allow
                Action:
                  - 'xray:PutTraceSegments'
                  - 'xray:PutTelemetryRecords'
                Resource: '*'
  MyFunction:
    Type: AWS::Serverless::Function
      Tracing: Active
      CodeUri: functions/src/
      Handler: lookup.lambdaHandler
      Runtime: nodejs10.x
      Timeout: 10
      MemorySize: 256
      Role: !GetAtt MyRole.Arn
      Events:
        Lookup:
          Type: Api
          Properties:
            Path: /somePath/{id}
            Method: get
1
aws-lambdaamazon-cloudformationaws-sam

1 Answers

7
votes

There is Properties tag missing in your lambda function definition, and policy list was missing - for the first policy. 

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  OMW Backend Services

Globals:
  Function:
    Timeout: 3

Resources:

  MyRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonRDSFullAccess'
        - 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - 'lambda.amazonaws.com'
            Action:
              - 'sts:AssumeRole'
      Policies:
        -
          PolicyName: 'ParameterStoreDevParameterAccess'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              -
                Effect: Allow
                Action:
                  - 'ssm:GetParameter*'
                Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/*'
        -
          PolicyName: 'ParameterStoreDevLambdaBasicExecution'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              -
                Effect: Allow
                Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: '*'
        -
          PolicyName: 'ParameterStoreDevXRayAccess'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              -
                Effect: Allow
                Action:
                  - 'xray:PutTraceSegments'
                  - 'xray:PutTelemetryRecords'
                Resource: '*'
  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      Tracing: Active
      CodeUri: functions/src/
      Handler: lookup.lambdaHandler
      Runtime: nodejs10.x
      Timeout: 10
      MemorySize: 256
      Role: !GetAtt MyRole.Arn
      Events:
        Lookup:
          Type: Api
          Properties:
            Path: /somePath/{id}
            Method: get