Hi - does anyone have any experience with https://www.pulumi.com/registry/packages/aws/api-docs/eks/accesspolicyassociation/ ? AccessPolicies are part of AccessEntries but there doesn't seem a way to associate the two using Pulumi 🤔 Even if I create an AccessEntry with an access policy via the console and import it, the resultant code just ignores the policy

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const ci_nonprod = new aws.eks.AccessEntry("ci-nonprod", {
    clusterName: "genesis-ci",
    principalArn: "arn:aws:iam::1234:role/ci-nonprod",
    userName: "arn:aws:sts::1234:assumed-role/ci-nonprod/{{SessionName}}",
}, {
    protect: true,
});

What do you mean by "the resultant code just ignores the policy"? aws.eks.AccessPolicyAssociation is the equivalent to the `aws eks associate-access-policy` CLI command

hmmm yeah you're right, I should have looked at the AWS API too. Thanks! I guess I was expecting an explicit reference between the two but it doesn't have to work like that.

As far as I understand, the AccessEntry is unambiguously identified by the principal ARN:

An access entry includes the Amazon Resource Name (ARN) of one, and only one, existing IAM principal. An IAM principal can't be included in more than one access entry.

https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html

Yes thanks. I got there in the end. I think I was also missing making the association depend on the AccessEntry being there first.