When I create a role using AWS CLI, I get a properly formatted ARN:
arn:aws:iam::836101485904:role/sigmund-freud
However, when I use cloudformation, I get PhysicalResourceId in the stack resource which does not look like an ARN at all:
stack-example9-SigmundFreud-1SXXK5AE0GRA3
How do I get an ARN from this PhysicalResourceId?
The confusing part is that when I create a policy with cloudformation, the PhysicalResourceId is a properly formed ARN:
"PhysicalResourceId": "arn:aws:iam::836101485904:policy/bucket-simple1-FirstPolicy-1DMVF6Q0R9G95"
So what is going on with the role ARN and how can I retrieve it?
In a Cloudformation template, you can define Outputs. These are auto-generated values which you’d like to extract after deployment and use otherwise.
In your Cloudformation template, add a section at the bottom, like the following:
Outputs: # top-level entry!
myRoleArn: # just an arbitrary identifier
Value: !GetAtt myRole.Arn # assuming that "myRole" is the name of your resource
Then, after deploying your stack, you can use the AWS CLI to extract the value:
aws cloudformation describe-stacks --stack-name $YOUR_STACK \
--query 'Stacks[0].Outputs[?OutputKey==`myRoleArn`].OutputValue' \
--output text
You can even load this into a shell variable by something like
export MY_ROLE_ARN="$(aws cloudformation describe-stacks …)"
Learn more about Outputs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html
Also note that the Cloudformation docs list all the potential Output values you can get for a certain resource type. For example, the AWS::IAM::Role outputs are here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html (Look for the “Return values” section.)
Related
I have set up CI/CD for an AWS Lambda function such that the new version is automatically deployed using GitHub actions. By default, AWS creates a new Lambda ID (and thus URL) for this lambda function. This means that the front-end portion of my code will need to be updated to contain the updated URL. Is there a way to automatically perform such updating? By e.g. saving the URL as an environment variable and inserting it in the code with a GitHub action?
Or is there alternatively a way to re-use the old Lambda function URL for new deployments?
You can get the updated Lambda URL by using SAM template outputs as follows:
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Outputs:
MyFunctionUrlEndpoint:
Description: "My Lambda Function URL Endpoint"
Value: !GetAtt MyFunctionUrl.FunctionUrl
Then you can access the output as described in this answer:
aws cloudformation describe-stacks --stack-name stack_name --query 'Stacks[0].Outputs[?OutputKey==`MyFunctionUrlEndpoint`].OutputValue' --output text
which can then be further processed in e.g. your front-end code.
There may be easier methods, but this should work!
I have switched from serverless to sam cli. One useful function serverless had was serverless print which allowed you to print the output of your yaml file with all the local variables resolved. This was a useful tool for checking if your syntax is correct or if the variables are resolving as you expect.
Is that any way to do this with AWS sam cli?
e.g.
sam print
You can achieve this using Outputs section of SAM template.
You can check the AWS SAM template anatomy to understand better.
Outputs (optional)
The values that are returned whenever you view your stack's properties. For example, you can declare an output for an S3 bucket
name, and then call the aws cloudformation describe-stacks AWS Command
Line Interface (AWS CLI) command to view the name. This section corresponds directly with the Outputs section of AWS CloudFormation templates.
You will need to make use of Intrinsic functions within your Outputs section to print out the final resolved value at runtime.
Outputs:
BackupLoadBalancerDNSName:
Description: The DNSName of the backup load balancer
Value: !GetAtt BackupLoadBalancer.DNSName
Condition: CreateProdResources
InstanceID:
Description: The Instance ID
Value: !Ref EC2Instance
If you just wish to validate if your SAM is correct or not you could use the following command:
$ sam validate
Posting the answer here so that it may help others in future!
I’m trying to add a policy to a lambda to allow AppConfig to invoke it.
I can do this through the terminal using this command:
aws lambda add-permission --function-name ConfigValidator.Arn --action lambda:InvokeFunction --statement-id appconfig --principal appconfig.amazonaws.com --output json --region eu-west-1
But how can this be done automatically through the SAM template?
Here is how I do this:
Create a managed policy with access to your AppConfig
Attach that managed policy to the role your lambda is configured to use
Here is the code using CDK (CDK is the latest and greatest tool to create AWS resources, I highly recommend using it!).
If you don't want to use CDK you can manually setup the same managed policies by hand.
Detailed example below:
Create a managed policy with access to your AppConfig
const resourceArn = `arn:aws:appconfig:${props.region}:${props.accountId}:application/${this.appConfigApplication.ref}*`
this.appConfigReaderManagedPolicy = new ManagedPolicy(this, `AppConfigReader-${id}`, {
managedPolicyName: `AppConfigReader-${id}`,
description: `Readonly access to ${id}`,
statements: [
new PolicyStatement({
resources: [resourceArn],
actions: [
'appconfig:GetConfiguration',
'appconfig:GetApplication',
]
})
]
})
Attach that managed policy to the role your lambda is configured to use
//assuming your lambda is already configured somewhere
this.lambdaFunction.role.addManagedPolicy(this.appConfigReaderManagedPolicy)
I am trying to view and add tags on my web acls using aws wafv2 cli command.
Other command seems to be working properly but I am getting the following error when using ARN in tagging.
The command:
aws wafv2 list-tags-for-resource \
--resource-arn arn:aws:wafv2:us-east-1:<account_id>:global/webacl/<acl_name>/<acl_id>
Output:
An error occurred (WAFInvalidParameterException) when calling the TagResource operation:
Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other
information separated by colons or slashes., field: RESOURCE_ARN, parameter: <arn>
Any idea on why this is happening? I understand that the old version aws waf uses a different format. But I am using wafv2 now so I think I am using the correct URL format already.
Just confirmed the fix. As the comment above indicated, I just need to add the --region parameter and it needs to match the region indicated in the ARN.
Though I am not sure why this is happening as the region in my ~/.aws/config is default to us-east-1 already.
A little confused about how to do this or if its possible.
THis is not a nested stack. I want to set tags in my CF template that apply to all resources in the template. AWS::CloudFormation::Stack resource can do that, but I don't need/want a nested stack i just have one stack and one template.
Use command deploy with --tags:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name MyStack \
--tags Key1=Value1 Key2=Value2
Docs:
--tags (list) A list of tags to associate with the stack that is created or updated. AWS CloudFormation also propagates these tags to resources in the stack if the resource supports it. Syntax: TagKey1=TagValue1 TagKey2=TagValue2 ...
You can solve that with a kind of a workaround.
You can create another CF template that will include only the "AWS::CloudFormation::Stack" resource.
In the parameters, provide the tags that you want, and in the "TemplateURL" property, provide the URL of a template that specifies the stack that you want to create as a resource.
Note that the template must be stored on an Amazon S3 bucket, so the URL must have the form:
https://s3.amazonaws.com/.../TemplateName.extension
For more details:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stack.html#cfn-cloudformation-stack-templateurl