https://pulumi.com logo
Title
c

crooked-raincoat-45073

03/19/2023, 8:24 PM
Calling str on an Output[T] is not supported This should be an easy one to solve, but I have somehow a hard time getting it working. {'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'Federated': <pulumi.output.Output object at 0x10a205c90>}, 'Action': 'sts:AssumeRoleWithWebIdentity', 'Condition': {'StringEquals': {'*Calling str on an Output[T] is not supported*.\n\nTo get the value of an Output[T] as an Output[str] consider:\n1. o.apply(lambda v: f"prefix{v}suffix")\n\nSee https://pulumi.io/help/outputs for more details.\nThis function may throw in a future version of Pulumi.': 'sts.amazonaws.com'}}}]}
policy_json = ({
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": eks_cluster.core.oidc_provider.arn
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {                    
                    f"{eks_cluster.core.oidc_provider.url.apply(lambda v: v)}": "<http://sts.amazonaws.com|sts.amazonaws.com>",                                    
                }
            }
        }
    ]
})

print(policy_json)
I tried all the different variations, but it seems I missed something obvious here
b

billowy-army-68599

03/19/2023, 8:37 PM
You’re doing the apply inside the string, do it at the root of the string build (ie: right after the =)
You can’t interpolate an output directly into the string, it needs to be known when you build the string
Also, the value after “federated” is an output so will throw the error
c

crooked-raincoat-45073

03/19/2023, 8:38 PM
can you give an example?
c

crooked-raincoat-45073

03/19/2023, 8:50 PM
try to understand a bit more, Quick question, why does this not work?
policy_json = eks_cluster.core.oidc_provider.url.apply(lambda v: json.dumps({                  
    "Version": "2012-10-17",                                                                   
    "Statement": [                                                                             
        {                                                                                      
            "Effect": "Allow",                                                                 
            "Principal": {                                                                     
                "Federated": "eks_cluster.core.oidc_provider.arn"                              
            },                                                                                 
            "Action": "sts:AssumeRoleWithWebIdentity",                                         
            "Condition": {                                                                     
                "StringEquals": {                                                              
                    f"{v}": "<http://sts.amazonaws.com|sts.amazonaws.com>",                                               
                }                                                                              
            }                                                                                  
        }                                                                                      
    ]                                                                                          
}))                                                                                            
print(f"Output is: -> {policy_json}")
b

billowy-army-68599

03/19/2023, 8:54 PM
c

crooked-raincoat-45073

03/19/2023, 10:04 PM
I made it now a bit more compact, so it suits better my use case. (the following is now working)
external_dns_role = aws.iam.Role(
    f"cr-eks-external-dns-role-{pulumi.get_stack()}",
    path="/",
    description="Role for External DNS on EKS to modify route53",
    assume_role_policy=Output.json_dumps({
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Federated": eks_cluster.core.oidc_provider.arn,
                },
                "Action": "sts:AssumeRoleWithWebIdentity",
                "Condition": {
                    "StringLike": {
                        Output.format("{}:sub", eks_cluster.core.oidc_provider.url): "system:serviceaccount:kube-system:external-dns*",
                        Output.format("{}:aud", eks_cluster.core.oidc_provider.url): "<http://sts.amazonaws.com|sts.amazonaws.com>",
                    }
                }
            }
        ]
    }),
)