https://pulumi.com logo
Join Slack
Powered by
I've been using `iam.RolePolicyAttachment` since y...
# aws
q
I've been using 
iam.RolePolicyAttachment
since yesterday to attach to an 
iam.Policy
to a role. https://pulumi-community.slack.com/archives/CRH5ENVDX/p1602563075111100 . It seemed to work. Today I am again trying to use the same 
iam.RolePolicyAttachment
. I see pulumi tell me the role attachment is created. But I look into the AWS console and look at the role or the policy itself and it's not attached. I am able to attach an aws manage policy today but not the custom policy I added yesterday. What should I be looking for as the breaking change? Why does pulumi tell me the attachment is created but I don't see it attached?
g
Can you share your full code that reproduces this?
q
I can't but I can try to summarize.
kmsKeyPolicy=aws.iam.Policy(... policy=kms_key.arn.apply(lambda: arn)....)
kms_attached_policy = aws.iam.RolePolicyAttachment(...,policy_arn=kmsKeyPolicy.arn, role=node_instance_role_arn.apply=(lambda: arn: aws.get_arn(arn).resource[5:]) ,)
I can export kms_attached_policy and I see id, policy_arn, role, urn output in terminal
If I look in aws console I do not see the policy attached, for the same role listed in output that was exported
Finally it seemed to work yesterday so I am feeling nutty
about to roll my git back to that commit.
But using the RolePolicyAttachment is working for a managed arn
Yesterday's code shares the same methods
I rolled back git to see if I made myself believe something didn't happen
I rolled back. It did not work. But it really seemed like I made this work yesterday. I am able to attach aws managed policies, just not my own policy.
After getting it to work as above I copied links to the attached policies and the git commit
Finally why does pulumi export the values and show it as created if it's not being attached?
Is there any policy that could have been applied that will not allow me to add my custom policy to a role?
Can I use the output to trace the supposedly attached event that's not showing up in my console?
I deleted the stack and reapplied and policy attached to the role. I don't understand what is going on.
rolled back to my other stack. now I see two of 3 attempted policies attached. seems like a bug or a limitation i don't understand
c
If you run this: 
pulumi up --logtostderr -v9 --debug
you might be able to see what is happening in the logs. https://www.pulumi.com/docs/reference/cli/pulumi_up/
q
That's a good idea. I am trying to create a few role policy attachments. Then is it possible that the future didn't complete before trying to attach the role to the node?
Can we manually mark dependencies in the job graph to ensure it's rendered properly?
Open in Slack
PreviousNext
Powered by