By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Error : API: rds:ModifyOptionGroup Cross-account pass role is not allowed

0

In my cloudformation, when I hardcode the ARN the script works perfect, where as when I try to derive it using function I get the below error. Any help is appreciated

API: rds:ModifyOptionGroup Cross-account pass role is not allowed

Value for EnvType is dev and region is ap-southeast-1

  SQLOptionGroup: 
    Type: "AWS::RDS::OptionGroup"
    Properties: 
      EngineName: 'sqlserver-se'
      MajorEngineVersion: '14.00'
      OptionConfigurations: 
        - OptionName: SQLSERVER_BACKUP_RESTORE
          OptionSettings:
            - 
              Name: IAM_ROLE_ARN
              Value: !Join ["", ["arn:aws:iam::${AWS::AccountId}:role/",!Join [ "-", [ "role", !Ref "AWS::Region", !Ref EnvType ]]]]
              # Value: "arn:aws:iam::xxxxxxxxxxxx:role/role-ap-southeast-1-dev"

Edited by: vinodsrinivas on Sep 22, 2019 9:29 AM

Topics
Management & Governance
Tags
AWS CloudFormation
Language
English
vinodsrinivas
asked 6 years ago1.2K views
1 Answer
0

Hi,
I was able to fix your template Join statement..

Change:
!Join ["", ["arn:aws:iam::${AWS::AccountId}:role/",!Join [ "-", [ "role", !Ref "AWS::Region", !Ref EnvType ]]]]

To:
{"Fn::Join": ["", ["arn:aws:iam::",{"Ref": "AWS::AccountId"},":role/",{"Fn::Join": ["-", ["role", {"Ref": "AWS::Region"},{"Ref":"EnvType"}]]}]]}

Hope this helps!
-randy

EXPERT
RandyTakeshita
answered 6 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content