By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using SSM Parameters Directly in CF template

0

I faced an issue when my CF template needed more parameters that are availiable by CloudFormation (200) I found a way, where i can store several parameter values in one parameter and then split them using !Split

Also i found that CF can refference parameters from AWS SSM parameter store (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html#dynamic-references-ssm) and in AWS documaentation it is shown that i can directly use parameter from SSM in my CF code, but when i try to deploy it on my stack it fails

this is the resource i'm tring to create IAMRoleTest: Type: "AWS::IAM::Role" Properties: Path: "/" RoleName: '{{resolve:ssm:Rolename:1}}' AssumeRolePolicyDocument: "{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"},"Action":"sts:AssumeRole"}]}" MaxSessionDuration: 3600 ManagedPolicyArns: - !Sub "arn:aws:iam::${AWS::Region}:policy/PolicyName"

Rolename parameter in SSM is named "test-role"

Topics
Management & Governance
Tags
AWS CloudFormationParameter Store
Language
English
Aliaksei Batsianouski
asked a month ago96 views
1 Answer
0

Hi THere

What is the error you are getting when the stack fails? One issue i see is that you are specifying {AWS::Region} in your ManagedPolicyArns. Managed Policies dont have a region in their ARN's as IAM is a Global service. Please make sure you copy the ARN from the IAM policy. Example: arn:aws:iam::aws:policy/ReadOnlyAccess

I tested using this template and the ssm paramater and it works

{
  "Resources": {
    "Role": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": "lambda.amazonaws.com"
              },
              "Action": "sts:AssumeRole"
            }
          ]
        },
        "RoleName": "{{resolve:ssm:Rolename:1}}",
        "MaxSessionDuration": 3600,
        "ManagedPolicyArns": [
          "arn:aws:iam::aws:policy/ReadOnlyAccess"
        ],
        "Path": "/"
      }
    }
  }
}
profile pictureAWS
EXPERT
Matt-B
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content