No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Can you share your full code that reproduces this?

kmsKeyPolicy=aws.iam.Policy(... policy=kms_key.arn.apply(lambda: arn)....)

kms_attached_policy = aws.iam.RolePolicyAttachment(...,policy_arn=kmsKeyPolicy.arn, role=node_instance_role_arn.apply=(lambda: arn: aws.get_arn(arn).resource[5:]) ,)

I can export kms_attached_policy and I see id, policy_arn, role, urn output in terminal

If I look in aws console I do not see the policy attached, for the same role listed in output that was exported

Finally it seemed to work yesterday so I am feeling nutty

about to roll my git back to that commit.

But using the RolePolicyAttachment is working for a managed arn

I rolled back git to see if I made myself believe something didn't happen

I rolled back. It did not work. But it really seemed like I made this work yesterday. I am able to attach aws managed policies, just not my own policy.

After getting it to work as above I copied links to the attached policies and the git commit

Finally why does pulumi export the values and show it as created if it's not being attached?

Is there any policy that could have been applied that will not allow me to add my custom policy to a role?

Can I use the output to trace the supposedly attached event that's not showing up in my console?

I deleted the stack and reapplied and policy attached to the role. I don't understand what is going on.

rolled back to my other stack. now I see two of 3 attempted policies attached. seems like a bug or a limitation i don't understand

If you run this: `pulumi up --logtostderr -v9 --debug`  you might be able to see what is happening in the logs.
<https://www.pulumi.com/docs/reference/cli/pulumi_up/>

That's a good idea. I am trying to create a few role policy attachments. Then is it possible that the future didn't complete before trying to attach the role to the node?

Can we manually mark dependencies in the job graph to ensure it's rendered properly?