amazon web services - Referring to GroupName in CloudFormation

In an CFT with a resource - "GroupNamed" in the IAM Policy that refers a variable group name

 GroupNamed:
  Type: "AWS::IAM::Group"
  Properties:
  GroupName: xyz

 ...

 Effect: Allow
 Action: iam:AddUserToGroup
 Resource: !Sub arn:aws:iam::${AWS::AccountId}:group/GroupNamed

How do I parameterize the group name?

Below are my attempts but throws malformed policy errors.

1.

Resource: !Join ["", ['arn:aws:iam::',!Sub ${AWS::AccountId}, ':group/',!Ref GroupNamed]]

2.

Resource: !Join ["", ['arn:aws:iam::', !Ref AWS::AccountId, ':group/', !Ref GroupNamed]]

3.

Resource:
             Fn::Join:
             - ''
             - - 'arn:aws:iam::'
               - Fn::Sub: "${AWS::AccountId}"
               - ":group/"
               - Fn::Ref: GroupNamed

Error: Template validation error: Template Error: Encountered unsupported function: Fn::Ref Supported functions are: [Fn::Base64, Fn::GetAtt, Fn::GetAZs, Fn::ImportValue, Fn::Join, Fn::Split, Fn::FindInMap, Fn::Select, Ref, Fn::Equals, Fn::If, Fn::Not, Condition, Fn::And, Fn::Or, Fn::Contains, Fn::EachMemberEquals, Fn::EachMemberIn, Fn::ValueOf, Fn::ValueOfAll, Fn::RefAll, Fn::Sub, Fn::Cidr]

2 Answers

  1. Jacob- Reply

    2019-11-13

    The AWS::IAM::Group documentation says that ARN is available via GetAtt.

    For example, this outputs the Group's ARN:

    ---
    AWSTemplateFormatVersion: 2010-09-09
    Description: CloudFormation template for creating lab resources.
    
    Resources:
    
      GroupNamed:
        Type: "AWS::IAM::Group"
        Properties:
          GroupName: xyz
    
    Outputs:
      GroupARN:
        Value: !GetAtt GroupNamed.Arn
    

    The output is: arn:aws:iam::123456789012:group/xyz

    Therefore, you could just use:

    Resource: !GetAtt GroupNamed.Arn
    
  2. James- Reply

    2019-11-13

    Assuming you’re passing in a parameter to your stack with the name of GroupName.

    Resource: !Sub arn:aws:iam::${AWS::AccountId}:group/${GroupName}

Leave a Reply

Your email address will not be published. Required fields are marked *

You can use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>