When using a PolicyAttachment with a “default” pol...
# awsb
brief-printer-34348
02/18/2021, 8:22 PMWhen using a PolicyAttachment with a “default” policy like
AmazonS3FullAccessl
little-cartoon-10569
02/18/2021, 8:27 PMA post-deployment automated check?
little-cartoon-10569
02/18/2021, 8:27 PMI've never seen that behaviour, I'm interested to know how often it happens.
b
brief-printer-34348
02/18/2021, 8:49 PMMmm seems to happen somewhat often. I have multiple stacks running in the same account. I tested a scenario whereby I “renamed” the resource to try and force the policy to reattach. When I look at the role it has no attached policies but the execution is marked successful.
brief-printer-34348
02/18/2021, 8:49 PMbrief-printer-34348
02/18/2021, 8:50 PMI renamed this resource from
-s3write-s3full Copy code
aws.iam.PolicyAttachment(f"{cluster_name}-sa-attach-s3full",
roles=[role_sa.iam_role_name],
policy_arn="arn:aws:iam::aws:policy/AmazonS3FullAccess",
opts=pulumi.ResourceOptions(depends_on=[role_sa]))l
little-cartoon-10569
02/18/2021, 8:54 PMThat must be a bug. I'm confident it has never happened to me. I've just checked all the roles that I can think of and that are similar to what you've described, and they all have all the policy attachments I expect them to have...
little-cartoon-10569
02/18/2021, 8:55 PMMaybe the python bindings? Maybe there's a hashset involved somewhere that's causing problems?
little-cartoon-10569
02/18/2021, 8:57 PMTBF, I'm not much of a sample case.. I've checked 3 roles with AWS-provided policies attached, x2 accounts / stacks.
b
brief-printer-34348
02/19/2021, 3:11 AMI’m using an S3 backend with multiple stacks. I don’t have permission to use the public Pulumi backend in the org I’m working with. I could try building a minimal testcase with Typescript since that seems the best supported language.