Cloudformation AWS IAM Role with and without RoleName Parameter

Question

When creating a new IAM role resource using Cloudformation, AWS::IAM::Role .

There is an optional RoleName parameter, and I am not sure when if it is better practice to include the RoleName parameter or exclude it.

The following are the differences that are specified in the documentation

• If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the role name.
• If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to acknowledge your template's capabilities.
• Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions.

Are there any other functional differences betweeen using or excluding the RoleName parameter?

Answer 1

This will simply generate a name for you if you don't specify it (constructed from the stack and resource name with a random string at the end).

The only difference is re-usability. If you want to recreate the stack multiple times, it would be better to pass in this IAM role ARN as a parameter.

I'd recommend not naming, which will allow you the freedom to create the stack as many times as you want without the fear of breaking additional resources.

If you really must the recommendation from AWS is below:

Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}.

Answer 2

The documentation explains that it may be dangerous to name your roles:

Naming an IAM resource can cause an unrecoverable error if you reuse the same template in multiple Regions. To prevent this, we recommend using Fn::Join and AWS::Region to create a Region-specific name, as in the following example: {"Fn::Join": ["", [{"Ref": "AWS::Region"}, {"Ref": "MyResourceName"}]]}.