Can't create a AWS Batch JobDefinition JobRoleArn in Cloudformation using a !Ref

0

I'm trying to create a Batch setup in Cloudformation. I have in Resources an IAM Role:

  SecretsAndS3AccessRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: batch.amazonaws.com
            Action: 'sts:AssumeRole'
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: 'sts:AssumeRole'
          - Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
            Action: 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/SecretsManagerReadWrite'
        - 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
        - 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'

Then in my JobDefinition I have:

  JobDefinition:
    Type: 'AWS::Batch::JobDefinition'
    Properties:
      Type: container
      ContainerProperties:
        Image: uri/to/my/image
        Vcpus: 2
        Memory: 2000
        Command:
          - /simple-test
        Privileged: true
        JobRoleArn: !Ref SecretsAndS3AccessRole
        ExecutionRoleArn: !Ref SecretsAndS3AccessRole
        Secrets:
          - Name: MY_SECRET
            ValueFrom: arn:aws:secretsmanager:us-east-1:123456789:secret:MYSECRET-abcdef
      RetryStrategy:
        Attempts: 1

When I try to build the stack, I get:

An error occurred (ClientException) when calling the RegisterJobDefinition operation: Error executing request, Exception : executionRoleArn bothrefs-SecretsAndS3AccessRole-1INAOWFBH2SK2 is not an iam role arn

If I remove the ExecutionRoleArn line and the Secrets, the stack builds fine, which is to say that JobRoleArn is happy with a value of !Ref SecretsAndS3AccessRole. (But I need the secrets, and to use secrets you need an execution role.) And if I hardcode the ARN there, it works fine.

What is different about ExecutionRoleArn that it doesn't allow a !Ref? According to the documentation for JobDefinition/ContainerProperties, JobRoleArn and ExecutionRoleArn seem the same sort of object.

If I instead use:

ExecutionRoleArn: !GetAtt SecretsAndS3AccessRole.Arn

Then it works fine! I tested removing JobRoleArn entirely - that makes my job fail. I tested changing it to also be JobRoleArn: GetAtt SecretsAndS3AccessRole.Arn -- that succeeds. So the mystery is: JobRoleArn likes its value either in Ref or GetAtt form, but ExecutionRoleArn requires GetAtt form. Why the difference?

質問済み 2年前369ビュー
1回答
0

Ref returns different values depending on the referenced resource.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html

For IAM Role, the Role name.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role-return-values

I don't see why JobRoleArn works normally with !Ref.
But it is better to use !GetAtt for both.

profile picture
hayao-k
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ