No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi all :wave: I’m trying to create a custom authorizer for an AWS API Gateway. I’ve been following an example in the Terraform documentation - <https://www.terraform.io/docs/providers/aws/r/api_gateway_authorizer.html> - but I’m coming unstuck when trying to define a role policy that references a lambda. Thread:

AWS responds with `MalformedPolicyDocument: Syntax errors in policy.`, and indeed the policy looks completely wrong `{"Version":"2012-10-17","Statement":[{"Action":"lambda:InvokeFunction","Effect":"Allow","Resource":{"__pulumiOutput":true,"isKnown":{}}}]}`.

I’m creating the policy like so:
```
    const invocationPolicy = new aws.iam.RolePolicy(`${apiName}-authorizer-invoke-lambda-role-policy`, {
      role: invocationRole,
      policy: JSON.stringify({
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "lambda:InvokeFunction",
            "Effect": "Allow",
            "Resource": authorizerLambda.arn    // &lt;==== HERE
          }
        ]
      }),
    }, { dependsOn: authorizerLambda });    // &lt;=== I tried adding this to see if it would help
```

I found the answer further up - I needed to use `.apply()` like so:
```
     policy: authorizerLambda.arn.apply(arn =&gt; JSON.stringify({
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "lambda:InvokeFunction",
            "Effect": "Allow",
            "Resource": arn
          }
        ]
      })),
```

Yep - `apply` is the key to taking an output from one resource and using it to construct an input for another (in this case the policy document). Glad you found the answer - we know we need more docs on this!