Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Issue w/ Ref & Join's when building ARNs in Cloudformation/troposphere

See original GitHub issue

This is per Chris Shenton on the cloudtools-dev group:

Been using tropo for a few weeks and started using AWACS so I can more easily create IAM Roles and Policy documents. Liking it a lot, thanks, guys.

But I'm stuck trying to reference a resource in an AWACS policy, I can't figure how to build the ARN. The docs show hard-wired names, e.g.:

S3:  Resource=[s3.S3_ARN("myBucket")],
SQS: Resource=[sqs.SQS_ARN(region, account, "queue1"), ],

For things that need Region and Account, is there a way to get those without hard-wiring them in my tropo script?  I was hoping to use Ref("AWS::Region") and Ref("AWS::AccountID") but those generate resources like:

"Resource": [
   "arn:aws:dynamodb:<troposphere.Ref object at 0x10978c128>:<troposphere.Ref object at 0x10978c1d0>:table/JobStateDB"

I'd also like to avoid hard-wiring my resource name; for example, I have a DynamoDB defined like:

r_jobstate_db = t.add_resource(
        AttributeDefinitions=[dynamodb.AttributeDefinition("job", "S")],
        KeySchema=[dynamodb.Key("job", "HASH")],

And I want to reference it in AWACS. Below, I know the Ref()s fail as above; I think I'm relying on knowing the implementation when I access the ".title" attribute:

                        Action=[awacs.dynamodb.PutItem, ],

Any guidance on how I can:
* Get AWS "Region" and "AccountID" to build the ARN without hard-wiring
* Get the resources name to build the ARN without peeking at code

Or is there a totally smarter way to do this, like:



This seems like something we should investigate. Not sure if this is:

  1. Possible in regular cloudformation iam policies.
  2. A problem with awacs
  3. A problem with troposphere

Anyway, I think it’s curious enough that we should have a bug for it just to make sure it doesn’t get lost.

Issue Analytics

  • State:closed
  • Created 8 years ago
  • Reactions:1
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

phobologiccommented, Oct 27, 2016

I haven’t tried it, but have you tried putting the Join inside the principal object?

ntwaddellcommented, Oct 27, 2016

ahh i did it wrong before. I forgot the AWS part. It works. Thanks @phobologic

Principal=Principal(“AWS”, Join(“”, [“arn:aws:iam::”, ref_account, “:role/Administrators”])),

Read more comments on GitHub >

github_iconTop Results From Across the Web

No results found

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found