Fn::GetAtt - AWS CloudFormation


The Fn::GetAtt intrinsic function returns the value of an attribute from a resource in the template. When the AWS::LanguageExtensions transform transform is used, you can use intrinsic functions as a parameter to Fn::GetAtt. For more information about GetAtt return values for a particular resource, refer to the documentation for that resource in the Resource and property reference.



{ "Fn::GetAtt" : [ "logicalNameOfResource", "attributeName" ] }


Syntax for the full function name:

Fn::GetAtt: [ logicalNameOfResource, attributeName ]

Syntax for the short form:

!GetAtt logicalNameOfResource.attributeName



The logical name (also called logical ID) of the resource that contains the attribute that you want.


The name of the resource-specific attribute whose value you want. See the resource's reference page for details about the attributes available for that resource type.

Return value

The attribute value.


Return a string

This example snippet returns a string containing the DNS name of the load balancer with the logical name myELB.


"Fn::GetAtt" : [ "myELB" , "DNSName" ]


!GetAtt myELB.DNSName

Return multiple strings

The following example template returns the SourceSecurityGroup.OwnerAlias and SourceSecurityGroup.GroupName of the load balancer with the logical name myELB.

{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "myELB": { "Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": { "AvailabilityZones": [ "eu-west-1a" ], "Listeners": [ { "LoadBalancerPort": "80", "InstancePort": "80", "Protocol": "HTTP" } ] } }, "myELBIngressGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "ELB ingress group", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "SourceSecurityGroupOwnerId": { "Fn::GetAtt": [ "myELB", "SourceSecurityGroup.OwnerAlias" ] }, "SourceSecurityGroupName": { "Fn::GetAtt": [ "myELB", "SourceSecurityGroup.GroupName" ] } } ] } } } }
AWSTemplateFormatVersion: 2010-09-09 Resources: myELB: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: AvailabilityZones: - eu-west-1a Listeners: - LoadBalancerPort: '80' InstancePort: '80' Protocol: HTTP myELBIngressGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ELB ingress group SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 SourceSecurityGroupOwnerId: !GetAtt myELB.SourceSecurityGroup.OwnerAlias SourceSecurityGroupName: !GetAtt myELB.SourceSecurityGroup.GroupName

Example: Use a standard Identifier for multiple resources using Fn::Sub within Fn::GetAtt, Ref and Fn::ForEach

The following examples shows how to use Fn::GetAtt with Fn::Sub, in conjuction with Fn::ForEach, in the Outputs of a template to reduce the template length and verbosity. The use of Fn::Sub within Fn::GetAtt allows the template to contain one intrinsic function that can reference a different bucket at every iteration of the Fn::ForEach call.

{ "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::LanguageExtensions", "Mappings": { "Buckets": { "Properties": { "Identifiers": ["A", "B", "C"] } } }, "Resources": { "Fn::ForEach::Buckets": [ "Identifier", {"Fn::FindInMap": ["Buckets", "Properties", "Identifiers"]}, { "S3Bucket${Identifier}": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "PublicRead", "MetricsConfigurations": [ { "Id": {"Fn::Sub": "EntireBucket${Identifier}"} } ], "WebsiteConfiguration": { "IndexDocument": "index.html", "ErrorDocument": "error.html", "RoutingRules": [ { "RoutingRuleCondition": { "HttpErrorCodeReturnedEquals": "404", "KeyPrefixEquals": "out1/" }, "RedirectRule": { "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com", "ReplaceKeyPrefixWith": "report-404/" } } ] } }, "DeletionPolicy": "Retain", "UpdateReplacePolicy": "Retain" } } ] }, "Outputs": { "Fn::ForEach::BucketOutputs": [ "Identifier", {"Fn::FindInMap": ["Buckets", "Properties", "Identifiers"]}, { "Fn::ForEach::GetAttLoop": [ "Property", ["Arn", "DomainName", "WebsiteURL"], { "S3Bucket${Identifier}${Property}": { "Value": { "Fn::GetAtt": [{"Fn::Sub": "S3Bucket${Identifier}"}, {"Ref": "Property"}] } } } ] } ] } }
AWSTemplateFormatVersion: 2010-09-09 Transform: 'AWS::LanguageExtensions' Mappings: Buckets: Properties: Identifiers: - A - B - C Resources: 'Fn::ForEach::Buckets': - Identifier - Fn::FindInMap: - Buckets - Properties - Identifiers - 'S3Bucket${Identifier}': Type: 'AWS::S3::Bucket' Properties: AccessControl: PublicRead MetricsConfigurations: - Id: Fn::Sub: 'EntireBucket${Identifier}' WebsiteConfiguration: IndexDocument: index.html ErrorDocument: error.html RoutingRules: - RoutingRuleCondition: HttpErrorCodeReturnedEquals: '404' KeyPrefixEquals: out1/ RedirectRule: HostName: ec2-11-22-333-44.compute-1.amazonaws.com ReplaceKeyPrefixWith: report-404/ DeletionPolicy: Retain UpdateReplacePolicy: Retain Outputs: 'Fn::ForEach::BucketOutputs': - Identifier - Fn::FindInMap: - Buckets - Properties - Identifiers - 'Fn::ForEach::GetAttLoop': - Property - - Arn - DomainName - WebsiteURL - 'S3Bucket${Identifier}${Property}': Value: !GetAtt - !Sub 'S3Bucket${Identifier}' - !Ref Property

Supported functions

When the AWS::LanguageExtensions transform transform is not used:

  • The Fn::GetAtt logical resource name can't use functions. You must specify a string that's a resource's logical ID. For the Fn::GetAtt attribute name, you can use the Ref function.

  • The Fn::GetAtt attribute name can use the Ref function.

When the AWS::LanguageExtensions transform transform is used, within the Fn::GetAtt function, you can use the following functions. This is true with either the Fn::GetAtt logical resource name or the Fn::GetAtt attribute name.