Does anyone know how to interpolate the id of another resource inside an S3 bucket policy? I'm trying to do the below, but the interpolation of the

originAccessIdentity.id

value is not working, and results in an error

Error putting S3 policy: MalformedPolicy: Policy has invalid principal

I can't seem to find an example anywhere that uses anything other than the bucket name in the policy.

const domain = "<mailto:testing@example.com|testing@example.com>";

const contentBucket = new aws.s3.Bucket("content-bucket", {
  bucket: domain,
  acl: "private",
  website: {
    indexDocument: "index.html",
    errorDocument: "index.html",
  },
  forceDestroy: true,
});

const originAccessIdentity = new aws.cloudfront.OriginAccessIdentity(
  "cloudfront-oai",
  {
    comment: pulumi.interpolate`OAI-${contentBucket.bucketDomainName}`,
  }
);

new aws.s3.BucketPolicy("bucket-policy", {
  bucket: contentBucket.bucket,
  policy: contentBucket.bucket.apply((bucketName) =>
    JSON.stringify({
      Version: "2012-10-17",
      Statement: [
        {
          Sid: "CloudfrontAllow",
          Effect: "Allow",
          Principal: {
            AWS: pulumi.interpolate`arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${originAccessIdentity.id}`,
          },
          Action: "s3:GetObject",
          Resource: `arn:aws:s3:::${bucketName}/*`,
        },
      ],
    })
  ),
});

I don’t think you can use

interpolate

inside an

apply

. You’ll need to use

Output.all

new aws.s3.BucketPolicy("bucket-policy", {
  bucket: contentBucket.bucket,
  policy: pulumi.all([contentBucket.bucket, originAccessIdentity.id]).apply(([bucketName, accessId]) =>
    JSON.stringify({
      Version: "2012-10-17",
      Statement: [
        {
          Sid: "CloudfrontAllow",
          Effect: "Allow",
          Principal: {
            AWS: `arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${accessId}`,
          },
          Action: "s3:GetObject",
          Resource: `arn:aws:s3:::${bucketName}/*`,
        },
      ],
    })
  ),
});

Many uses of policy documents have the parameter type

Input<string | PolicyDocument>

. This is one of them. If you see that, then you don't need to do the "big" interpolation, and often you can skip interpolating entirely.

^ @little-cartoon-10569 you’ll need a

pulumi.interpolate

for the principal too

Sorry, copied/edited your code instead of Daniel's :)

@little-cartoon-10569 definitely feel free to open an issue, but if you’re inspired to fix this yourself, we would gladly accept a PR with those changes. All it takes is this change to the appropriate resource/fields and running

make build

at the repo root

Ooo. Nice. Well, it's golang, but nice ish.

learned so much! https://github.com/jaxxstorm/pulumi-examples/blob/main/typescript/aws/s3-cloudfront/index.ts here's both methods in the form of example, but I'm using the

iamArn

output to make life a little easier 😄

thanks @little-cartoon-10569, that worked perfectly. Also thanks for the example you linked to @billowy-army-68599, I didn't see that one...

I just wrote it with tenwit and Komal's help, so thank them! I just like to document the solutions 😄

lol awesome

Thanks for this discussion

Looks like the link that Komal gave, to resources.go, is now off a bit? Line 1648 (https://github.com/pulumi/pulumi-aws/blob/e8ed71ede8a9cb457085859bff662a8b45e4b698/provider/resources.go#L1648) contains the PolicyDocument alt type.

No that's the right link still... you have to add the

PolicyDocument

alt type to any resource property where it would make sense

Yep, that's the link I included, the earlier link was to lines 732-740, which now mentions aws_cloudhsm_v2_hsm and hsm_state.. which confused me 🙂

aha! lol okay thank you