Can't create a AWS Batch JobDefinition JobRoleArn in Cloudformation using a !Ref

0

I'm trying to create a Batch setup in Cloudformation. I have in Resources an IAM Role:

  SecretsAndS3AccessRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: batch.amazonaws.com
            Action: 'sts:AssumeRole'
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
          - Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
            Action: 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/SecretsManagerReadWrite'
        - 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
        - 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'

Then in my JobDefinition I have:

  JobDefinition:
    Type: 'AWS::Batch::JobDefinition'
    Properties:
      Type: container
      ContainerProperties:
        Image: uri/to/my/image
        Vcpus: 2
        Memory: 2000
        Command:
          - /simple-test
        Privileged: true
        JobRoleArn: !Ref SecretsAndS3AccessRole
        ExecutionRoleArn: !Ref SecretsAndS3AccessRole
        Secrets:
          - Name: MY_SECRET
            ValueFrom: arn:aws:secretsmanager:us-east-1:123456789:secret:MYSECRET-abcdef
      RetryStrategy:
        Attempts: 1

When I try to build the stack, I get:

An error occurred (ClientException) when calling the RegisterJobDefinition operation: Error executing request, Exception : executionRoleArn bothrefs-SecretsAndS3AccessRole-1INAOWFBH2SK2 is not an iam role arn

If I remove the ExecutionRoleArn line and the Secrets, the stack builds fine, which is to say that JobRoleArn is happy with a value of !Ref SecretsAndS3AccessRole. (But I need the secrets, and to use secrets you need an execution role.) And if I hardcode the ARN there, it works fine.

What is different about ExecutionRoleArn that it doesn't allow a !Ref? According to the documentation for JobDefinition/ContainerProperties, JobRoleArn and ExecutionRoleArn seem the same sort of object.

If I instead use:

ExecutionRoleArn: !GetAtt SecretsAndS3AccessRole.Arn

Then it works fine! I tested removing JobRoleArn entirely - that makes my job fail. I tested changing it to also be JobRoleArn: GetAtt SecretsAndS3AccessRole.Arn -- that succeeds. So the mystery is: JobRoleArn likes its value either in Ref or GetAtt form, but ExecutionRoleArn requires GetAtt form. Why the difference?

gefragt vor 2 Jahren370 Aufrufe
1 Antwort
0

Ref returns different values depending on the referenced resource.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html

For IAM Role, the Role name.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role-return-values

I don't see why JobRoleArn works normally with !Ref.
But it is better to use !GetAtt for both.

profile picture
hayao-k
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen