https://pulumi.com logo
#general
Title
# general
e

early-musician-41645

12/10/2018, 7:26 PM
In
@Pulumi/aws
I've created a Role and a Policy, and used both RolePolicyAttachment and also PolicyAttachment, but have no luck in attaching a policy to the role. What's the way to attach policies to roles?
m

microscopic-florist-22719

12/10/2018, 7:27 PM
RolePolicyAttachment
is the way to do this. What sort of problem are you seeing?
e

early-musician-41645

12/10/2018, 7:28 PM
The policies aren't getting attached
e.g. "Permissions Policies" is empty when I look at the role in the console.
Copy code
const clusterRole = new aws.iam.Role(config.require("group")+"-k8s-cluster-role", {
  assumeRolePolicy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [{
      Action: "sts:AssumeRole",
      Principal: {
        AWS: "arn:aws:iam::"+config.require("accountId")+":root"
      },
      Effect: "Allow"
    }]
  })
});
const eksClusterRolePolicyAttachment = new aws.iam.RolePolicyAttachment("eks-cluster-policy-attachment", {
    role: clusterRole,
    policyArn: eksPolicy.arn
});
const ecrReadClusterRolePolicyAttachment = new aws.iam.RolePolicyAttachment("ecr-read-cluster-policy-attachment", {
    role: clusterRole,
    policyArn: ecrReadPolicy.arn
});
const s3ReadRolePolicyAttachment = new aws.iam.RolePolicyAttachment("s3-read-cluster-policy-attachment", {
    role: clusterRole,
    policyArn: s3ReadPolicy.arn
});
Those policies are created and I can see them via the console, but they're not listed as attached to the
clusterRole
m

microscopic-florist-22719

12/10/2018, 7:32 PM
are these policies attached to any other roles?
e

early-musician-41645

12/10/2018, 7:32 PM
not yet
but they will be
m

microscopic-florist-22719

12/10/2018, 7:32 PM
kk
e

early-musician-41645

12/10/2018, 7:33 PM
Am I supposed to use
RolePolicy
or
Policy
?
m

microscopic-florist-22719

12/10/2018, 7:33 PM
RolePolicy
, I think
e

early-musician-41645

12/10/2018, 7:33 PM
I want to attach a policy to a role and to a group
Do I need duplicate policies? One for
RolePolicy
and one
Policy
?
m

microscopic-florist-22719

12/10/2018, 7:33 PM
you might need two, yes
I'm honestly not 100% sure. I haven't used group policies before.
cc @white-balloon-205
e

early-musician-41645

12/10/2018, 7:34 PM
okay, I'll explore a bit on it
I got things working, except for this:
Copy code
// Dev Assume Role Policy to use the cluster role for accessing kubernetes clusters
const devAssumeRolePolicy = new aws.iam.Policy(groupName+"-assumerole-read-policy", {
  policy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: [
          "sts:AssumeRole"
        ],
        Resource: [
          clusterRole.arn
        ]
      },
      {
        Effect: "Allow",
        Action: "sts:GetCallerIdentity",
        Resource: "*"
      }
    ]
  })
});
const devAssumeRoleReadPolicyAttachment = new aws.iam.PolicyAttachment(groupName+"-assumeRole-policy-attachment", {
  groups: [group],
  policyArn: devAssumeRolePolicy.arn
});
When I code in a specific string for the clusterRole.arn then it works, but when I use
clusterRole.arn
then there's a big problem
Copy code
Previewing update (tableau/mustang-aws-iam-sandbox):

     Type                 Name                                     Plan     Info
     pulumi:pulumi:Stack  mustang-aws-iam-mustang-aws-iam-sandbox           36 messages                                                                                                                                 └─ aws:iam:Policy    mustang-sandbox-assumerole-read-policy            1 error

Diagnostics:
  aws:iam:Policy (mustang-sandbox-assumerole-read-policy):
    error: transport is closing

  pulumi:pulumi:Stack (mustang-aws-iam-mustang-aws-iam-sandbox):
    panic: interface conversion: interface {} is map[string]interface {}, not string
    goroutine 178 [running]:
    <http://github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.newAWSStringSet(0x2b346c0|github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.newAWSStringSet(0x2b346c0>, 0xc000ac0a80, 0xc000be14e0, 0x1, 0x1)
        /home/travis/gopath/src/github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence/aws_policy_equivalence.go:386 +0x254
    <http://github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.(*awsPolicyStatement).equals(0xc000cb6120|github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.(*awsPolicyStatement).equals(0xc000cb6120>, 0xc000cb62d0, 0x0)
        /home/travis/gopath/src/github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence/aws_policy_equivalence.go:176 +0x2ea
    <http://github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.(*awsPolicyDocument).equals(0xc000c27300|github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.(*awsPolicyDocument).equals(0xc000c27300>, 0xc000c27380, 0x0)
        /home/travis/gopath/src/github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence/aws_policy_equivalence.go:114 +0xf9
    <http://github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.PoliciesAreEquivalent(0xc000e820f0|github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.PoliciesAreEquivalent(0xc000e820f0>, 0xe3, 0xc000e84340, 0xca, 0x410044, 0xc000faf020, 0xc000ed3a40)
        /home/travis/gopath/src/github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence/aws_policy_equivalence.go:50 +0x3a6
    <http://github.com/pulumi/pulumi-aws/vendor/github.com/terraform-providers/terraform-provider-aws/aws.suppressEquivalentAwsPolicyDiffs(0x367e0fc|github.com/pulumi/pulumi-aws/vendor/github.com/terraform-providers/terraform-provider-aws/aws.suppressEquivalentAwsPolicyDiffs(0x367e0fc>, 0x6, 0xc000e820f0, 0xe3, 0xc000e84340, 0xca, 0xc000cc65b0, 0xc000faef00)
how do I get a string version of the clusterRole's ARN?
b

big-piano-35669

12/10/2018, 9:12 PM
@stocky-spoon-28903 Should also be able to help with a lot of this.
e

early-musician-41645

12/10/2018, 9:21 PM
I found out that the clusterRole was not populated by the time the Policy was read, so I did a
clusterRole.apply({ ... });
to make sure the ordering happens correctly. Is there a more Pulumi-ish way to set up ordering/dependency? Follow-up, why isn't the dependency ordering honored for the clusterRole when I need to use the
clusterRole.arn
in a policy?
s

stocky-spoon-28903

12/10/2018, 9:34 PM
I’m on the move at the moment, will comment here shortly though
e

early-musician-41645

12/10/2018, 9:35 PM
Is there a
dependsOn
I can add to enforce it?
o

orange-tailor-85423

01/21/2019, 11:58 PM
@early-musician-41645 @stocky-spoon-28903 any update on this? I think this is the issue I'm having too
did you have to go the apply route? I keep getting invalid policy doc
`function createK8sDelegation() { const awsCaller = aws.getCallerIdentity(); awsCaller.then(root => { const assumeRootRolePolicy = <aws.iam.PolicyDocument>{ Version: "2012-10-17", Statement: [ { Effect: "Allow", Principal: { AWS:
arn:aws:iam::${root.accountId}:root
}, Action: "sts:AssumeRole" } ] }; // Create an IAM role for K8s namespace access const k8sDevPolicies = { eksViewer: aws.iam.ReadOnlyAccess }; const k8sNamespaceAdminRole = newRoleWithPolicies( "k8sDevNSAdminRole", { description: "k8s namespace admin role for groups", assumeRolePolicy: assumeRootRolePolicy }, k8sDevPolicies ); const k8sdevpolicy = new aws.iam.Policy( "k8s-dev-namespace-policy", { description: "Policy that allow you to do K8s stuff", policy: JSON.stringify({ Version: "2012-10-17", Statement: [ { Effect: "Allow", Resource:
${k8sNamespaceAdminRole.arn}
, Action: ["sts:AssumeRole"] } ] }) }, { parent: k8sNamespaceAdminRole } ); new aws.iam.GroupPolicyAttachment("k8s-ns-to-dev-group-attachment", { group: k8sNamespaceAdminGroup, policyArn: k8sdevpolicy.arn }); return assumeRootRolePolicy; }); }`
it doesn't like the role.arn
e

early-musician-41645

01/22/2019, 6:07 PM
@orange-tailor-85423 I ended up with this and it works:
Copy code
215 clusterRole.arn.apply(arn => {
216   // Dev Assume Role Policy to use the cluster role for accessing kubernetes clusters
217   // Doing this in a .apply() block because of an ordering issue with Pulumi and getting the clusterRole.arn
218   const devAssumeRolePolicy = new aws.iam.Policy(groupName+"-assumerole-read-policy", {
219     policy: JSON.stringify({
220       Version: "2012-10-17",
221       Statement: [
222         {
223           Effect: "Allow",
224           Action: [
225             "sts:AssumeRole"
226           ],
227           Resource: [
228             arn
229           ]
230         }
231       ]
232     })
233   });
234   const devAssumeRoleReadPolicyAttachment = new aws.iam.PolicyAttachment(groupName+"-assumeRole-policy-attachment", {
235     groups: [group],
236     policyArn: devAssumeRolePolicy.arn
237   });
238 });
o

orange-tailor-85423

01/22/2019, 6:56 PM
thanks!