early-musician-41645
12/10/2018, 7:26 PM@Pulumi/aws
I've created a Role and a Policy, and used both RolePolicyAttachment and also PolicyAttachment, but have no luck in attaching a policy to the role. What's the way to attach policies to roles?microscopic-florist-22719
RolePolicyAttachment
is the way to do this. What sort of problem are you seeing?early-musician-41645
12/10/2018, 7:28 PMconst clusterRole = new aws.iam.Role(config.require("group")+"-k8s-cluster-role", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: "sts:AssumeRole",
Principal: {
AWS: "arn:aws:iam::"+config.require("accountId")+":root"
},
Effect: "Allow"
}]
})
});
const eksClusterRolePolicyAttachment = new aws.iam.RolePolicyAttachment("eks-cluster-policy-attachment", {
role: clusterRole,
policyArn: eksPolicy.arn
});
const ecrReadClusterRolePolicyAttachment = new aws.iam.RolePolicyAttachment("ecr-read-cluster-policy-attachment", {
role: clusterRole,
policyArn: ecrReadPolicy.arn
});
const s3ReadRolePolicyAttachment = new aws.iam.RolePolicyAttachment("s3-read-cluster-policy-attachment", {
role: clusterRole,
policyArn: s3ReadPolicy.arn
});
clusterRole
microscopic-florist-22719
early-musician-41645
12/10/2018, 7:32 PMmicroscopic-florist-22719
early-musician-41645
12/10/2018, 7:33 PMRolePolicy
or Policy
?microscopic-florist-22719
RolePolicy
, I thinkearly-musician-41645
12/10/2018, 7:33 PMRolePolicy
and one Policy
?microscopic-florist-22719
early-musician-41645
12/10/2018, 7:34 PM// Dev Assume Role Policy to use the cluster role for accessing kubernetes clusters
const devAssumeRolePolicy = new aws.iam.Policy(groupName+"-assumerole-read-policy", {
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: [
"sts:AssumeRole"
],
Resource: [
clusterRole.arn
]
},
{
Effect: "Allow",
Action: "sts:GetCallerIdentity",
Resource: "*"
}
]
})
});
const devAssumeRoleReadPolicyAttachment = new aws.iam.PolicyAttachment(groupName+"-assumeRole-policy-attachment", {
groups: [group],
policyArn: devAssumeRolePolicy.arn
});
clusterRole.arn
then there's a big problemPreviewing update (tableau/mustang-aws-iam-sandbox):
Type Name Plan Info
pulumi:pulumi:Stack mustang-aws-iam-mustang-aws-iam-sandbox 36 messages └─ aws:iam:Policy mustang-sandbox-assumerole-read-policy 1 error
Diagnostics:
aws:iam:Policy (mustang-sandbox-assumerole-read-policy):
error: transport is closing
pulumi:pulumi:Stack (mustang-aws-iam-mustang-aws-iam-sandbox):
panic: interface conversion: interface {} is map[string]interface {}, not string
goroutine 178 [running]:
<http://github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.newAWSStringSet(0x2b346c0|github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.newAWSStringSet(0x2b346c0>, 0xc000ac0a80, 0xc000be14e0, 0x1, 0x1)
/home/travis/gopath/src/github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence/aws_policy_equivalence.go:386 +0x254
<http://github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.(*awsPolicyStatement).equals(0xc000cb6120|github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.(*awsPolicyStatement).equals(0xc000cb6120>, 0xc000cb62d0, 0x0)
/home/travis/gopath/src/github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence/aws_policy_equivalence.go:176 +0x2ea
<http://github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.(*awsPolicyDocument).equals(0xc000c27300|github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.(*awsPolicyDocument).equals(0xc000c27300>, 0xc000c27380, 0x0)
/home/travis/gopath/src/github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence/aws_policy_equivalence.go:114 +0xf9
<http://github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.PoliciesAreEquivalent(0xc000e820f0|github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.PoliciesAreEquivalent(0xc000e820f0>, 0xe3, 0xc000e84340, 0xca, 0x410044, 0xc000faf020, 0xc000ed3a40)
/home/travis/gopath/src/github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence/aws_policy_equivalence.go:50 +0x3a6
<http://github.com/pulumi/pulumi-aws/vendor/github.com/terraform-providers/terraform-provider-aws/aws.suppressEquivalentAwsPolicyDiffs(0x367e0fc|github.com/pulumi/pulumi-aws/vendor/github.com/terraform-providers/terraform-provider-aws/aws.suppressEquivalentAwsPolicyDiffs(0x367e0fc>, 0x6, 0xc000e820f0, 0xe3, 0xc000e84340, 0xca, 0xc000cc65b0, 0xc000faef00)
big-piano-35669
early-musician-41645
12/10/2018, 9:21 PMclusterRole.apply({ ... });
to make sure the ordering happens correctly.
Is there a more Pulumi-ish way to set up ordering/dependency?
Follow-up, why isn't the dependency ordering honored for the clusterRole when I need to use the clusterRole.arn
in a policy?stocky-spoon-28903
12/10/2018, 9:34 PMearly-musician-41645
12/10/2018, 9:35 PMdependsOn
I can add to enforce it?orange-tailor-85423
01/21/2019, 11:58 PMarn:aws:iam::${root.accountId}:root
},
Action: "sts:AssumeRole"
}
]
};
// Create an IAM role for K8s namespace access
const k8sDevPolicies = {
eksViewer: aws.iam.ReadOnlyAccess
};
const k8sNamespaceAdminRole = newRoleWithPolicies(
"k8sDevNSAdminRole",
{
description: "k8s namespace admin role for groups",
assumeRolePolicy: assumeRootRolePolicy
},
k8sDevPolicies
);
const k8sdevpolicy = new aws.iam.Policy(
"k8s-dev-namespace-policy",
{
description: "Policy that allow you to do K8s stuff",
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Resource: ${k8sNamespaceAdminRole.arn}
,
Action: ["sts:AssumeRole"]
}
]
})
},
{ parent: k8sNamespaceAdminRole }
);
new aws.iam.GroupPolicyAttachment("k8s-ns-to-dev-group-attachment", {
group: k8sNamespaceAdminGroup,
policyArn: k8sdevpolicy.arn
});
return assumeRootRolePolicy;
});
}`early-musician-41645
01/22/2019, 6:07 PM215 clusterRole.arn.apply(arn => {
216 // Dev Assume Role Policy to use the cluster role for accessing kubernetes clusters
217 // Doing this in a .apply() block because of an ordering issue with Pulumi and getting the clusterRole.arn
218 const devAssumeRolePolicy = new aws.iam.Policy(groupName+"-assumerole-read-policy", {
219 policy: JSON.stringify({
220 Version: "2012-10-17",
221 Statement: [
222 {
223 Effect: "Allow",
224 Action: [
225 "sts:AssumeRole"
226 ],
227 Resource: [
228 arn
229 ]
230 }
231 ]
232 })
233 });
234 const devAssumeRoleReadPolicyAttachment = new aws.iam.PolicyAttachment(groupName+"-assumeRole-policy-attachment", {
235 groups: [group],
236 policyArn: devAssumeRolePolicy.arn
237 });
238 });
orange-tailor-85423
01/22/2019, 6:56 PM