I am getting an error while importing an AWS S3 bu...
# general
I am getting an error while importing an AWS S3 bucket policy into my state.
Copy code
  aws:s3:BucketPolicy (pulumi-infrastructure-bucket-policy):
    error: Preview failed: refreshing urn:pulumi:dev::bootstrap::aws:s3/bucketPolicy:BucketPolicy::pulumi-infrastructure-bucket-policy: 1 error occurred:
        * reading Amazon S3 (Simple Storage) Bucket Policy (arn:aws:s3:::infrastructure.pulumi.dev): InvalidARNError: invalid ARN
    caused by: invalid Amazon s3 ARN, unknown resource type, arn:aws:s3:::infrastructure.pulumi.dev
I created the policy in the policy editor and copied the (real) arn from the s3 console, so everything should be formally correct. I am working with the latest Pulumi release (3.72.2) with NodeJS Version v18.16.0. Any ideas why the simple import command fails?
Fun fact, setting the plain json document on the resource worked:
Copy code
new aws.s3.BucketPolicy("pulumi-infrastructure-bucket-policy", {
        bucket: bucket.bucket,
    "Version": "2012-10-17",
    "Statement": [
            "Sid": "Statement1",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
Importing with
pulumi import
? Did you get the type token and id the right way round (pulumi import <type> <name> <id/arn>)
Copied the command from the docs and replaced the parts with my values
Shouldn't the policy arn differ from the bucket arn?
I guess not, as the policy is part of the bucket permissions.
Actually the policy editor in the web console mentions the bucket arn
Uhhhhhhh, wait
pulumi import aws:s3/bucketPolicy:BucketPolicy allow_access_from_another_account my-tf-test-bucket
I guess I was kind of over eager and replaced my-tf-test-bucket with the arn
Let me check
I think for the import command you probably just need the name part of the arn
New error .. life hates me today 😆
error: no name for resource urn:pulumi:dev::bootstrap::aws:s3/bucket:bucket::pulumi-infrastructure-bucket
what puzzles me, pulumi-infrastructure-bucket isn’t the name I used for the import.
That is the name of the bucket in the state
That is odd, import shouldn't care about any other resource except the one your importing
What exactly does your import command look like?
Copy code
pulumi import aws:s3/bucketPolicy:BucketPolicy pulumi-infrastructure-bucket-policy infrastructure.pulumi.dev
The actual name of the bucket is longer, I have shortened it
that looks reasonable, this probably needs an issue raising at https://github.com/pulumi/pulumi-aws/issues
Might be somethings not quite lined up because bucket policies are kinda not really their own resources but just a property on the bucket itself
Sound reasonable