Combine Sub and Ref function


I have the following Principal ARN but I am getting error ""Policy contains a statement with one or more invalid principals". Is it possible to combine sub and ref function?

                  - !Sub arn:aws:iam::${AWS::AccountId}:role/aws-reserved/${AWS::Region}/!Ref AssumedRole 
              Action: '*'
              Resource: '*'
demandé il y a un mois77 vues
2 réponses
Réponse acceptée

Yes, and actually you are already doing it but perhaps did not realise. When using !Sub the !Ref (and !GetAtt) syntax switches to using ${...} instead. So for example where you have used ${AWS::Region} is the equivalent of using !Ref AWS::Region so in your example it would be:

              - !Sub arn:aws:iam::${AWS::AccountId}:role/aws-reserved/${AWS::Region}/${AssumedRole}
          Action: '*'
          Resource: '*'

I hope this makes sense.

profile pictureAWS
répondu il y a un mois
profile picture
vérifié il y a un mois
profile pictureAWS
vérifié il y a un mois
  • It worked! Thank you.



I don't think it's necessary to combine them.
As stated in the following document, if you specify the logical ID of !Sub as ${AssumedRole}, you can get the same value as !Ref.

If you specify template parameter names or resource logical IDs, such as ${InstanceTypeParameter}, CloudFormation returns the same values as if you used the Ref intrinsic function. If you specify resource attributes, such as ${MyInstance.PublicIp}, CloudFormation returns the same values as if you used the Fn::GetAtt intrinsic function.

I think the problem can be solved simply by doing the following:

!Sub arn:aws:iam::${AWS::AccountId}:role/aws-reserved/${AWS::Region}/${AssumedRole}
profile picture
répondu il y a un mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions