- Newest
- Most votes
- Most comments
Yes, and actually you are already doing it but perhaps did not realise. When using !Sub
the !Ref
(and !GetAtt
) syntax switches to using ${...}
instead. So for example where you have used ${AWS::Region}
is the equivalent of using !Ref AWS::Region
so in your example it would be:
Principal:
AWS:
- !Sub arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/${AWS::Region}/${AssumedRole}
Action: '*'
Resource: '*'
I hope this makes sense.
Hello.
I don't think it's necessary to combine them.
As stated in the following document, if you specify the logical ID of !Sub as ${AssumedRole}, you can get the same value as !Ref.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-sub.html#w8aac34c28c69b7
If you specify template parameter names or resource logical IDs, such as ${InstanceTypeParameter}, CloudFormation returns the same values as if you used the Ref intrinsic function. If you specify resource attributes, such as ${MyInstance.PublicIp}, CloudFormation returns the same values as if you used the Fn::GetAtt intrinsic function.
I think the problem can be solved simply by doing the following:
!Sub arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/${AWS::Region}/${AssumedRole}
Relevant content
- Accepted Answer
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
It worked! Thank you.