Can't create a AWS Batch JobDefinition JobRoleArn in Cloudformation using a !Ref

0

I'm trying to create a Batch setup in Cloudformation. I have in Resources an IAM Role:

  SecretsAndS3AccessRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: batch.amazonaws.com
            Action: 'sts:AssumeRole'
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
          - Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
            Action: 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/SecretsManagerReadWrite'
        - 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
        - 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'

Then in my JobDefinition I have:

  JobDefinition:
    Type: 'AWS::Batch::JobDefinition'
    Properties:
      Type: container
      ContainerProperties:
        Image: uri/to/my/image
        Vcpus: 2
        Memory: 2000
        Command:
          - /simple-test
        Privileged: true
        JobRoleArn: !Ref SecretsAndS3AccessRole
        ExecutionRoleArn: !Ref SecretsAndS3AccessRole
        Secrets:
          - Name: MY_SECRET
            ValueFrom: arn:aws:secretsmanager:us-east-1:123456789:secret:MYSECRET-abcdef
      RetryStrategy:
        Attempts: 1

When I try to build the stack, I get:

An error occurred (ClientException) when calling the RegisterJobDefinition operation: Error executing request, Exception : executionRoleArn bothrefs-SecretsAndS3AccessRole-1INAOWFBH2SK2 is not an iam role arn

If I remove the ExecutionRoleArn line and the Secrets, the stack builds fine, which is to say that JobRoleArn is happy with a value of !Ref SecretsAndS3AccessRole. (But I need the secrets, and to use secrets you need an execution role.) And if I hardcode the ARN there, it works fine.

What is different about ExecutionRoleArn that it doesn't allow a !Ref? According to the documentation for JobDefinition/ContainerProperties, JobRoleArn and ExecutionRoleArn seem the same sort of object.

If I instead use:

ExecutionRoleArn: !GetAtt SecretsAndS3AccessRole.Arn

Then it works fine! I tested removing JobRoleArn entirely - that makes my job fail. I tested changing it to also be JobRoleArn: GetAtt SecretsAndS3AccessRole.Arn -- that succeeds. So the mystery is: JobRoleArn likes its value either in Ref or GetAtt form, but ExecutionRoleArn requires GetAtt form. Why the difference?

preguntada hace 2 años368 visualizaciones
1 Respuesta
0

Ref returns different values depending on the referenced resource.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html

For IAM Role, the Role name.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role-return-values

I don't see why JobRoleArn works normally with !Ref.
But it is better to use !GetAtt for both.

profile picture
hayao-k
respondido hace 2 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas