How do I get the name of a dynamically created lambda role?

Question

I like how a role + inline policy is created when I deploy my template:

Resources:

MyFUnction:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
        Description: Enter description of what this specific Lambda does
        CodeUri: hello_world/build/
        Handler: app.lambda_handler
        Runtime: python2.7

        Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
            Variables:
                PARAM1: VALUE

        Policies:
            # Using AWSLambdaExecute automatically creates a role named: <StackName>Role-<UUID>
            - AWSLambdaExecute
            # This policy is assigned as an  Inline policy to the role
            - Version: '2012-10-17' # Policy Document
              Statement:
                  Effect: Allow
                  Action: ......

Now can I ref the role that is dynamically created and add an Output: for it in the SAM template?

The docs don't seem to provide a way for you to retrieve the IAM execution role. You might be able to write a CloudFormation macro to get this info if absolutely needed. Are you sure that you actually need it? I'd have thought that it was internal to this specific serverless deployment. — jarmod, Sep 19 '18 at 22:31
dont really need it but id like my outputs to have this info- its a nice to have — red888, Sep 19 '18 at 22:40

score 6 · Accepted Answer · answered Sep 19 '18 at 23:20

The resulting role that SAM creates for you is just the name of your function with "Role" added to the end. You can use this information to get the Role or properties of it using normal CloudFormation functions.

For example, if you wanted to access the role ARN of MyFunction, you would use !GetAtt MyFunctionRole.Arn in your SAM YAML template. The same principle should apply for !Ref and other functions.

score 4 · Answer 2 · answered May 25 '19 at 04:37

I was able to test a solution to this, in the SAM template.yaml you can add an Output as you would in CloudFormation for the Logical ID that is created automatically for you as part of the Transform when using Properties such as Policies for AWS::Serverless::Function

The Logical ID of the resulting IAM Role is <Function Logical ID>Role, I used the below:

Outputs:
  LambdaRole:
    Value: 
      Fn::GetAtt: 
        - "LambdaFunctionRole"
        - "Arn"
    Description: "Lambda IAM Role"

How do I get the name of a dynamically created lambda role?

2 Answers2