In ` Pulumi aws` I ve created a Role and a Policy and used b Pulumi Community #general

In `@Pulumi/aws` I've created a Role and a Policy,...

early-musician-41645

12/10/2018, 7:26 PM

@Pulumi/aws

I've created a Role and a Policy, and used both RolePolicyAttachment and also PolicyAttachment, but have no luck in attaching a policy to the role. What's the way to attach policies to roles?

microscopic-florist-22719

12/10/2018, 7:27 PM

RolePolicyAttachment

is the way to do this. What sort of problem are you seeing?

early-musician-41645

12/10/2018, 7:28 PM

The policies aren't getting attached

early-musician-41645

12/10/2018, 7:29 PM

e.g. "Permissions Policies" is empty when I look at the role in the console.

early-musician-41645

12/10/2018, 7:29 PM

Copy code

const clusterRole = new aws.iam.Role(config.require("group")+"-k8s-cluster-role", {
  assumeRolePolicy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [{
      Action: "sts:AssumeRole",
      Principal: {
        AWS: "arn:aws:iam::"+config.require("accountId")+":root"
      },
      Effect: "Allow"
    }]
  })
});
const eksClusterRolePolicyAttachment = new aws.iam.RolePolicyAttachment("eks-cluster-policy-attachment", {
    role: clusterRole,
    policyArn: eksPolicy.arn
});
const ecrReadClusterRolePolicyAttachment = new aws.iam.RolePolicyAttachment("ecr-read-cluster-policy-attachment", {
    role: clusterRole,
    policyArn: ecrReadPolicy.arn
});
const s3ReadRolePolicyAttachment = new aws.iam.RolePolicyAttachment("s3-read-cluster-policy-attachment", {
    role: clusterRole,
    policyArn: s3ReadPolicy.arn
});

early-musician-41645

12/10/2018, 7:30 PM

Those policies are created and I can see them via the console, but they're not listed as attached to the

clusterRole

microscopic-florist-22719

12/10/2018, 7:32 PM

are these policies attached to any other roles?

early-musician-41645

12/10/2018, 7:32 PM

not yet

early-musician-41645

12/10/2018, 7:32 PM

but they will be

microscopic-florist-22719

12/10/2018, 7:32 PM

early-musician-41645

12/10/2018, 7:33 PM

Am I supposed to use

RolePolicy

Policy

microscopic-florist-22719

12/10/2018, 7:33 PM

RolePolicy

, I think

early-musician-41645

12/10/2018, 7:33 PM

I want to attach a policy to a role and to a group

early-musician-41645

12/10/2018, 7:33 PM

Do I need duplicate policies? One for

RolePolicy

and one

Policy

microscopic-florist-22719

12/10/2018, 7:33 PM

you might need two, yes

microscopic-florist-22719

12/10/2018, 7:34 PM

I'm honestly not 100% sure. I haven't used group policies before.

microscopic-florist-22719

12/10/2018, 7:34 PM

cc @white-balloon-205

early-musician-41645

12/10/2018, 7:34 PM

okay, I'll explore a bit on it

early-musician-41645

12/10/2018, 8:07 PM

I got things working, except for this:

Copy code

// Dev Assume Role Policy to use the cluster role for accessing kubernetes clusters
const devAssumeRolePolicy = new aws.iam.Policy(groupName+"-assumerole-read-policy", {
  policy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: [
          "sts:AssumeRole"
        ],
        Resource: [
          clusterRole.arn
        ]
      },
      {
        Effect: "Allow",
        Action: "sts:GetCallerIdentity",
        Resource: "*"
      }
    ]
  })
});
const devAssumeRoleReadPolicyAttachment = new aws.iam.PolicyAttachment(groupName+"-assumeRole-policy-attachment", {
  groups: [group],
  policyArn: devAssumeRolePolicy.arn
});

early-musician-41645

12/10/2018, 8:07 PM

When I code in a specific string for the clusterRole.arn then it works, but when I use

clusterRole.arn

then there's a big problem

early-musician-41645

12/10/2018, 8:07 PM

Copy code

Previewing update (tableau/mustang-aws-iam-sandbox):

     Type                 Name                                     Plan     Info
     pulumi:pulumi:Stack  mustang-aws-iam-mustang-aws-iam-sandbox           36 messages                                                                                                                                 └─ aws:iam:Policy    mustang-sandbox-assumerole-read-policy            1 error

Diagnostics:
  aws:iam:Policy (mustang-sandbox-assumerole-read-policy):
    error: transport is closing

  pulumi:pulumi:Stack (mustang-aws-iam-mustang-aws-iam-sandbox):
    panic: interface conversion: interface {} is map[string]interface {}, not string
    goroutine 178 [running]:
    <http://github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.newAWSStringSet(0x2b346c0|github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.newAWSStringSet(0x2b346c0>, 0xc000ac0a80, 0xc000be14e0, 0x1, 0x1)
        /home/travis/gopath/src/github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence/aws_policy_equivalence.go:386 +0x254
    <http://github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.(*awsPolicyStatement).equals(0xc000cb6120|github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.(*awsPolicyStatement).equals(0xc000cb6120>, 0xc000cb62d0, 0x0)
        /home/travis/gopath/src/github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence/aws_policy_equivalence.go:176 +0x2ea
    <http://github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.(*awsPolicyDocument).equals(0xc000c27300|github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.(*awsPolicyDocument).equals(0xc000c27300>, 0xc000c27380, 0x0)
        /home/travis/gopath/src/github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence/aws_policy_equivalence.go:114 +0xf9
    <http://github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.PoliciesAreEquivalent(0xc000e820f0|github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence.PoliciesAreEquivalent(0xc000e820f0>, 0xe3, 0xc000e84340, 0xca, 0x410044, 0xc000faf020, 0xc000ed3a40)
        /home/travis/gopath/src/github.com/pulumi/pulumi-aws/vendor/github.com/jen20/awspolicyequivalence/aws_policy_equivalence.go:50 +0x3a6
    <http://github.com/pulumi/pulumi-aws/vendor/github.com/terraform-providers/terraform-provider-aws/aws.suppressEquivalentAwsPolicyDiffs(0x367e0fc|github.com/pulumi/pulumi-aws/vendor/github.com/terraform-providers/terraform-provider-aws/aws.suppressEquivalentAwsPolicyDiffs(0x367e0fc>, 0x6, 0xc000e820f0, 0xe3, 0xc000e84340, 0xca, 0xc000cc65b0, 0xc000faef00)

early-musician-41645

12/10/2018, 8:08 PM

how do I get a string version of the clusterRole's ARN?

big-piano-35669

12/10/2018, 9:12 PM

@stocky-spoon-28903 Should also be able to help with a lot of this.

early-musician-41645

12/10/2018, 9:21 PM

I found out that the clusterRole was not populated by the time the Policy was read, so I did a

clusterRole.apply({ ... });

to make sure the ordering happens correctly. Is there a more Pulumi-ish way to set up ordering/dependency? Follow-up, why isn't the dependency ordering honored for the clusterRole when I need to use the

clusterRole.arn

in a policy?

stocky-spoon-28903

12/10/2018, 9:34 PM

I’m on the move at the moment, will comment here shortly though

early-musician-41645

12/10/2018, 9:35 PM

Is there a

dependsOn

I can add to enforce it?

orange-tailor-85423

01/21/2019, 11:58 PM

@early-musician-41645 @stocky-spoon-28903 any update on this? I think this is the issue I'm having too

orange-tailor-85423

01/21/2019, 11:58 PM

did you have to go the apply route? I keep getting invalid policy doc

orange-tailor-85423

01/21/2019, 11:59 PM

`function createK8sDelegation() { const awsCaller = aws.getCallerIdentity(); awsCaller.then(root => { const assumeRootRolePolicy = <aws.iam.PolicyDocument>{ Version: "2012-10-17", Statement: [ { Effect: "Allow", Principal: { AWS:

arn:aws:iam::${root.accountId}:root

}, Action: "sts:AssumeRole" } ] }; // Create an IAM role for K8s namespace access const k8sDevPolicies = { eksViewer: aws.iam.ReadOnlyAccess }; const k8sNamespaceAdminRole = newRoleWithPolicies( "k8sDevNSAdminRole", { description: "k8s namespace admin role for groups", assumeRolePolicy: assumeRootRolePolicy }, k8sDevPolicies ); const k8sdevpolicy = new aws.iam.Policy( "k8s-dev-namespace-policy", { description: "Policy that allow you to do K8s stuff", policy: JSON.stringify({ Version: "2012-10-17", Statement: [ { Effect: "Allow", Resource:

${k8sNamespaceAdminRole.arn}

, Action: ["sts:AssumeRole"] } ] }) }, { parent: k8sNamespaceAdminRole } ); new aws.iam.GroupPolicyAttachment("k8s-ns-to-dev-group-attachment", { group: k8sNamespaceAdminGroup, policyArn: k8sdevpolicy.arn }); return assumeRootRolePolicy; }); }`

orange-tailor-85423

01/21/2019, 11:59 PM

it doesn't like the role.arn

early-musician-41645

01/22/2019, 6:07 PM

@orange-tailor-85423 I ended up with this and it works:

Copy code

215 clusterRole.arn.apply(arn => {
216   // Dev Assume Role Policy to use the cluster role for accessing kubernetes clusters
217   // Doing this in a .apply() block because of an ordering issue with Pulumi and getting the clusterRole.arn
218   const devAssumeRolePolicy = new aws.iam.Policy(groupName+"-assumerole-read-policy", {
219     policy: JSON.stringify({
220       Version: "2012-10-17",
221       Statement: [
222         {
223           Effect: "Allow",
224           Action: [
225             "sts:AssumeRole"
226           ],
227           Resource: [
228             arn
229           ]
230         }
231       ]
232     })
233   });
234   const devAssumeRoleReadPolicyAttachment = new aws.iam.PolicyAttachment(groupName+"-assumeRole-policy-attachment", {
235     groups: [group],
236     policyArn: devAssumeRolePolicy.arn
237   });
238 });

orange-tailor-85423

01/22/2019, 6:56 PM

thanks!

Open in Slack

Previous Next