https://pulumi.com logo
Title
p

purple-orange-91853

05/28/2021, 9:18 PM
SOLVED
Turns out I was missing one : in the arn string causing the policy to render bad.  Updated the Resource below to Resource: "arn:aws:iam::" + await accountId + ":user/${aws:username}" and all is well.
I am trying to write a AWS Self Manage policy and I'm stuck on getting the policy to work with aws internal variables such as
${aws:username}
when inside the JSON policy document. I have tried the terraform way of replacing the
$
with an
&
, but that does not work either. If I replace the Resource string in the policy document with
"*"
it works as expected. I have also tried escaping the
$
and
{}
with a`\` in the code to no avail. Code block in question:
export const IAMSelfManagePolicy = async () => {
const current = aws.getCallerIdentity({ async: true });
const accountId = current.then(current => current.accountId);

const IAMSelfManagePolicy = new aws.iam.Policy("IAMSelfManagePolicy", {
    name: "IAMSelfManagePolicy",
    path: "/",
    description: "Allow users to Self Manage their own credentials",
    policy: JSON.stringify({
      Version: "2012-10-17",
      Statement: [
        {
          Sid: "AllowUserToChangePersonalOptions",
            Effect: "Allow",
            Action: [
              "iam:*AccessKey*",
              "iam:*SSHPublicKey*",
              "iam:*LoginProfile",
              "iam:ChangePassword"
            ],
            Resource: "arn:aws:iam:" + await accountId + ":user/${aws:username}"
        }
      ]
    }),
  });
}