I'm trying to create a Batch setup in Cloudformation. I have in Resources an IAM Role:
SecretsAndS3AccessRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: batch.amazonaws.com
Action: 'sts:AssumeRole'
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: 'sts:AssumeRole'
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/SecretsManagerReadWrite'
- 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
- 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
Then in my JobDefinition I have:
JobDefinition:
Type: 'AWS::Batch::JobDefinition'
Properties:
Type: container
ContainerProperties:
Image: uri/to/my/image
Vcpus: 2
Memory: 2000
Command:
- /simple-test
Privileged: true
JobRoleArn: !Ref SecretsAndS3AccessRole
ExecutionRoleArn: !Ref SecretsAndS3AccessRole
Secrets:
- Name: MY_SECRET
ValueFrom: arn:aws:secretsmanager:us-east-1:123456789:secret:MYSECRET-abcdef
RetryStrategy:
Attempts: 1
When I try to build the stack, I get:
An error occurred (ClientException) when calling the RegisterJobDefinition operation: Error executing request, Exception : executionRoleArn bothrefs-SecretsAndS3AccessRole-1INAOWFBH2SK2 is not an iam role arn
If I remove the ExecutionRoleArn
line and the Secrets, the stack builds fine, which is to say that JobRoleArn
is happy with a value of !Ref SecretsAndS3AccessRole
. (But I need the secrets, and to use secrets you need an execution role.) And if I hardcode the ARN there, it works fine.
What is different about ExecutionRoleArn
that it doesn't allow a !Ref
? According to the documentation for JobDefinition/ContainerProperties, JobRoleArn
and ExecutionRoleArn
seem the same sort of object.
If I instead use:
ExecutionRoleArn: !GetAtt SecretsAndS3AccessRole.Arn
Then it works fine! I tested removing JobRoleArn entirely - that makes my job fail. I tested changing it to also be JobRoleArn: GetAtt SecretsAndS3AccessRole.Arn
-- that succeeds. So the mystery is: JobRoleArn
likes its value either in Ref or GetAtt form, but ExecutionRoleArn requires GetAtt form. Why the difference?
Interesting - I got that syntax from this AWS Blog article: https://aws.amazon.com/blogs/compute/using-aws-cloudformation-to-create-and-manage-aws-batch-resources/ - it creates a stack using that form.