How to deploy a Lambda IAM role with AWS SAM CloudFormation

How to deploy a Lambda IAM role with AWS SAM CloudFormation

This is the procedure for deploying an IAM role for Lambda. Policies are attached as appropriate.

Two exports are specified.

template-lambda.yml

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: Lambda Deploy
Parameters:
  Stage:
    Description: Stage name
    Type: String
    AllowedValues:
      – prod
      – dev
      – test
  LambdaRoleName:
    Description: lambda role name
    Type: String
Resources:
  LambdaRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref LambdaRoleName
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        – Effect: Allow
          Principal:
            Service:
            – lambda.amazonaws.com
          Action:
          – sts:AssumeRole
      ManagedPolicyArns:
      – arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      – arn:aws:iam::aws:policy/AmazonEC2FullAccess
      – arn:aws:iam::aws:policy/AmazonS3FullAccess
Outputs:
  LambdaRoleID:
    Description: LambdaRole ID
    Value: !Ref LambdaRole
    Export:
      Name: !Sub
        – ${Stage}LambdaRoleID
        – { Stage: !Ref Stage}
  LambdaRoleARN:
    Description: LambdaRole ARN
    Value: !GetAtt LambdaRole.Arn
    Export:
      Name: !Sub
        – ${Stage}LambdaRoleARN
        – { Stage: !Ref Stage }

The aws cloudformation package command spits out a template.

C:\tmp>aws cloudformation package --template-file template-lambda.yml --output-template-file template-lambda-out.yml --s3-bucket バケット名

Successfully packaged artifacts and wrote output template to file template-lambda-out.yml.
Execute the following command to deploy the packaged template
aws cloudformation deploy --template-file C:\tmp\template-lambda-out.yml --stack-name <YOUR STACK NAME>

You will have created a template-lambda-out.yml file.

Based on this file, run the aws cloudformation deploy command to create a stack called lambda-role.

C:\tmp>aws cloudformation deploy --template-file template-lambda-out.yml --stack-name lambda-role --region ap-northeast-1 --parameter-overrides Stage=dev LambdaRoleName=SampleRole --profile=default --capabilities CAPABILITY_NAMED_IAM

Waiting for changeset to be created..
Waiting for stack create/update to complete
Successfully created/updated stack - lambda-role

Verify that the lambda-role has been created in CloudFormation.

Confirmation of IAM Roles

Verify that the IAM role is created with the name SampleRole.

You can see that an IAM role has been created with the policy specified in the template file attached.

Stack export name

On the far right of the stack’s output page, there is a column called Export Name. Or you can see the list from the menu on the left.

This export name can be specified in other yaml with !ImportValue export name.

ImportValue export name` when deploying Lambda, for example.

高橋