Referring to GroupName in CloudFormation

Question

In an CFT with a resource - "GroupNamed" in the IAM Policy that refers a variable group name

 GroupNamed:
  Type: "AWS::IAM::Group"
  Properties:
  GroupName: xyz

 ...

 Effect: Allow
 Action: iam:AddUserToGroup
 Resource: !Sub arn:aws:iam::${AWS::AccountId}:group/GroupNamed

How do I parameterize the group name?

Below are my attempts but throws malformed policy errors.

1.

Resource: !Join ["", ['arn:aws:iam::',!Sub ${AWS::AccountId}, ':group/',!Ref GroupNamed]]

2.

Resource: !Join ["", ['arn:aws:iam::', !Ref AWS::AccountId, ':group/', !Ref GroupNamed]]

3.

Resource:
             Fn::Join:
             - ''
             - - 'arn:aws:iam::'
               - Fn::Sub: "${AWS::AccountId}"
               - ":group/"
               - Fn::Ref: GroupNamed

Error: Template validation error: Template Error: Encountered unsupported function: Fn::Ref Supported functions are: [Fn::Base64, Fn::GetAtt, Fn::GetAZs, Fn::ImportValue, Fn::Join, Fn::Split, Fn::FindInMap, Fn::Select, Ref, Fn::Equals, Fn::If, Fn::Not, Condition, Fn::And, Fn::Or, Fn::Contains, Fn::EachMemberEquals, Fn::EachMemberIn, Fn::ValueOf, Fn::ValueOfAll, Fn::RefAll, Fn::Sub, Fn::Cidr]

Answer 1

The AWS::IAM::Group documentation says that ARN is available via GetAtt.

For example, this outputs the Group's ARN:

---
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation template for creating lab resources.

Resources:

  GroupNamed:
    Type: "AWS::IAM::Group"
    Properties:
      GroupName: xyz

Outputs:
  GroupARN:
    Value: !GetAtt GroupNamed.Arn

The output is: arn:aws:iam::123456789012:group/xyz

Therefore, you could just use:

Resource: !GetAtt GroupNamed.Arn

Answer 2

Assuming you’re passing in a parameter to your stack with the name of GroupName.

Resource: !Sub arn:aws:iam::${AWS::AccountId}:group/${GroupName}