CloudFormation Lambda template, Expecting role to be string, when using Ref or GetAtt

Question

When creating my lambda stack I am using a role called LambdaExecutionRole, I am then referencing the ARN through fn::GetAtt

"Role": {"Fn::GetAtt": ["LambdaExecutionRole","Arn"]},

, like the documentation said, I am then given the error saying that the specified resource does not support GetAtt. So I tried with GetAtt, and I am returned:

Properties validation failed for resource GetECLambda with message: #/Code/S3Bucket: failed validation constraint for keyword [pattern] #/Role: expected type: String, found: JSONObject

I also tried with "Role":{ "!Ref" : "LambdaExecutionRole"},

From my understanding one of these should have returned a String and therefore a String would be provided, not a JSON Object. But the issue may be that the String is defined like so: {"The Arn"}, but I am unsure how to avoid that.

The Structure of my lambda and the role are as follows:

{
    "AWSTemplateFormatVersion" : "2010-09-09",
    "Description" : "Stack to create the get-EC lambda",
    "Resources" : {
        "LambdaExecutionRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [{ "Effect": "Allow", "Principal": {"Service": ["lambda.amazonaws.com"]}, "Action": ["sts:AssumeRole"] }]
                },
                "Path": "/",
                "Policies": [{
                    "PolicyName": "root",
                    "PolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [{ "Effect": "Allow", "Action": ["logs:*"], "Resource": "arn:aws:logs:*:*:*" }]
                    }
                }]
            }
        },
        "GetECLambda" : {
            "Type" : "AWS::Lambda::Function",
            "Properties" : {
                "FunctionName": "get-ecs",
                "Role":{ "!Ref" : "LambdaExecutionRole"},
                "Runtime": "nodejs12.x",
                "Code": {
                    "S3Bucket" : "arn:aws:s3:::flex-fit-lambda-functions-source",
                    "S3Key": "get-ecs.zip"
                }
            }
        }
    }
}

Answer 1

When specifying Cloudformation template in JSON, only this form of calling intrinsic functions is supported:

{ "Fn::GetAtt" : [ "logicalNameOfResource", "attributeName" ] }

!Ref form is only supported for YAML. So try changing your current call to this in your template:

"Role": { "Fn::GetAtt" : [ "LambdaExecutionRole", "Arn" ] }