I like how a role + inline policy is created when I deploy my template:
Resources:
MyFUnction:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
Description: Enter description of what this specific Lambda does
CodeUri: hello_world/build/
Handler: app.lambda_handler
Runtime: python2.7
Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
Variables:
PARAM1: VALUE
Policies:
# Using AWSLambdaExecute automatically creates a role named: <StackName>Role-<UUID>
- AWSLambdaExecute
# This policy is assigned as an Inline policy to the role
- Version: '2012-10-17' # Policy Document
Statement:
Effect: Allow
Action: ......
Now can I ref the role that is dynamically created and add an Output: for it in the SAM template?
The resulting role that SAM creates for you is just the name of your function with "Role" added to the end. You can use this information to get the Role or properties of it using normal CloudFormation functions.
For example, if you wanted to access the role ARN of MyFunction, you would use !GetAtt MyFunctionRole.Arn in your SAM YAML template. The same principle should apply for !Ref and other functions.