Unclear how to reference Lambda Role ARN in serverless.yml

brettneese · January 19, 2017, 9:24pm

I am trying to use these to make a lifecycle hook SNS notification and run my script based on this.

I have a set of role statements in my serverless.yml (global for the service, under the Provider block):

 iamRoleStatements: 
    - Effect: "Allow"
      Action:
        - "ec2:DescribeInstances"
        - "ec2:CreateNetworkInterface"
        - "ec2:AttachNetworkInterface"
        - "ec2:DescribeNetworkInterfaces"
        - "autoscaling:CompleteLifecycleAction"

and a CloudFormation resource:

resources:
 Resources:
   NewResource:
     Type: AWS::AutoScaling::LifecycleHook
     Properties:
       AutoScalingGroupName: AutoScalingGroupName
       LifecycleTransition: EC2_INSTANCE_TERMINATING
       NotificationTargetARN:
       RoleARN:

How do I find out what the Role ARN for the Lambda script is inside the serverless.yml file? Is there a way under the ${self} variable to get at the role ARN, or do I need to construct my own ARN from the function name, etc?

dkcwd · January 21, 2017, 12:55am

Hi @brettneese, this might not be much help to you right now but just want to let you know what I have done with some of my own example projects.

I wanted to have more control of the role used to execute Lambda functions and in my case I decided to set up the role manually using the AWS IAM ui and gave it PowerUserAccess.

I then manually updated my serverless.yml with the profile I wanted to use and the role.

service: some-service

provider:
  name: aws
  runtime: nodejs4.3
  stage: dev
  profile: name-of-my-aws-credentials-profile
  region: ap-southeast-2
  role: arn:aws:iam::707945501234:role/name-of-my-serverless-power-user-role

This thread has more information about roles per function: https://github.com/serverless/serverless/pull/2073

Also there is more on custom roles in the Serverless Framework docs here: https://serverless.com/framework/docs/providers/aws/guide/iam#custom-iam-roles

rowanu · January 21, 2017, 3:53am

Because you’re trying to use the ARN in the resources section (which is just CloudFormation) you can use the intrinsic function GetAtt.

Here’s what you need for your RoleARN:

RoleARN:
  Fn::GetAtt: [ IamRoleLambdaExecution, Arn ]

kiddrew · December 4, 2019, 7:02pm

I realize this is an old thread, but Google leads here and the last proposed solution does not work. It still results in a CF error:

Error: The CloudFormation template is invalid: Template error: instance of Fn::GetAtt references undefined resource IamRoleLambdaExecution

yadynesh · January 31, 2020, 7:45am

How did you solve this?

myalias · February 13, 2020, 9:12pm

Using:

Role: !GettAtt YourIamRole.Arn

Worked for me.

jkbiggs · November 3, 2020, 1:12am

Role: !GetAtt YourIamRole.Arn

Topic		Replies	Views
Reference Lambda function role Serverless Framework	0	477	January 15, 2019
Serverless.yml provider role clarification Serverless Framework	0	321	August 18, 2020
How assign properly a in-built AWS role to a lambda deployment serverless.yml Serverless Framework lambda	1	947	June 27, 2019
How it works iamRoleStatements configuration section? Serverless Framework aws	6	24854	November 19, 2019
Existing IAM role reuse syntax/behavior Serverless Framework	3	5552	November 14, 2016

Unclear how to reference Lambda Role ARN in serverless.yml

Related Topics