Hei guys, I’m trying to set a policy for a lambda to run post user confirmation in cognito and I want to give it permissions to just be able to PUT in a usersTable but I get this error

aws:iam:Policy (confirm-user-signup-role-policy):
    error: 1 error occurred:
        * error creating IAM Policy confirm-user-signup-role-policy-18437fc: MalformedPolicyDocument: Partition "
        1" is not valid for resource "arn:
        1: o.apply(v => v.toJSON())
        2: o.apply(v => JSON.stringify(v))

My code:

const confirmUserIamRolePolicy = new aws.iam.Policy(
  'confirm-user-signup-role-policy',
  {
    policy: JSON.stringify({
      Version: '2012-10-17',
      Statement: [
        {
          Effect: 'Allow',
          Action: [DBAction.Put],
          Resource: usersTable.arn.apply((arn) => `${arn}`),
        },
      ],
    }),
  }
)

export const confirmUserIamRole = new aws.iam.Role('confirm-user-signup-role', {
  assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
    Service: '<http://lambda.amazonaws.com|lambda.amazonaws.com>',
  }),
  managedPolicyArns: [confirmUserIamRolePolicy.arn],
})

const confirmUserIamRolePolicyAttachment = new aws.iam.PolicyAttachment(
  'confirm-user-signup-role-policy-attachment',
  {
    policyArn: confirmUserIamRolePolicy.arn,
    roles: [confirmUserIamRole],
  }
)

export const postConfirmationLambda = new aws.lambda.CallbackFunction(
  'post-confirmation-signup-lambda',
  {
    runtime: 'nodejs14.x',
    callback: confirmUserSignupHandler,
    role: confirmUserIamRole,
    environment: {
      variables: {
        USERS_TABLE: usersTable.name,
        REGION: region,
      },
    },
  }
)

In the docs I mostly see

Resource: '*'

but havent found a place where a policy is for a specific resource

put the policy generation inside the apply

Thank you for the response. I don’t quite understand how you mean. Can you exemplify a bit?

I provided an example if your other thread