Unclear how to reference Lambda Role ARN in serverless.yml

I am trying to use these to make a lifecycle hook SNS notification and run my script based on this.

I have a set of role statements in my serverless.yml (global for the service, under the Provider block):

 iamRoleStatements: 
    - Effect: "Allow"
      Action:
        - "ec2:DescribeInstances"
        - "ec2:CreateNetworkInterface"
        - "ec2:AttachNetworkInterface"
        - "ec2:DescribeNetworkInterfaces"
        - "autoscaling:CompleteLifecycleAction"

and a CloudFormation resource:

resources:
 Resources:
   NewResource:
     Type: AWS::AutoScaling::LifecycleHook
     Properties:
       AutoScalingGroupName: AutoScalingGroupName
       LifecycleTransition: EC2_INSTANCE_TERMINATING
       NotificationTargetARN:
       RoleARN: 

How do I find out what the Role ARN for the Lambda script is inside the serverless.yml file? Is there a way under the ${self} variable to get at the role ARN, or do I need to construct my own ARN from the function name, etc?

Hi @brettneese, this might not be much help to you right now but just want to let you know what I have done with some of my own example projects.

I wanted to have more control of the role used to execute Lambda functions and in my case I decided to set up the role manually using the AWS IAM ui and gave it PowerUserAccess.

I then manually updated my serverless.yml with the profile I wanted to use and the role.

service: some-service

provider:
  name: aws
  runtime: nodejs4.3
  stage: dev
  profile: name-of-my-aws-credentials-profile
  region: ap-southeast-2
  role: arn:aws:iam::707945501234:role/name-of-my-serverless-power-user-role

This thread has more information about roles per function: https://github.com/serverless/serverless/pull/2073

Also there is more on custom roles in the Serverless Framework docs here: https://serverless.com/framework/docs/providers/aws/guide/iam#custom-iam-roles

Because you’re trying to use the ARN in the resources section (which is just CloudFormation) you can use the intrinsic function GetAtt.

Here’s what you need for your RoleARN:

RoleARN:
  Fn::GetAtt: [ IamRoleLambdaExecution, Arn ]
2 Likes

I realize this is an old thread, but Google leads here and the last proposed solution does not work. It still results in a CF error:

Error: The CloudFormation template is invalid: Template error: instance of Fn::GetAtt references undefined resource IamRoleLambdaExecution

How did you solve this?

Using:

Role: !GettAtt YourIamRole.Arn

Worked for me.