Struggling to get my IAM policy to work, I’m tryin...
# generalb
billions-lock-73409
02/25/2019, 6:42 PMStruggling to get my IAM policy to work, I’m trying to reference an ARN for a KMS key I created and marked as a dependency, but the
Output Copy code
Plan apply failed: Error putting IAM role policy ******: MalformedPolicyDocument: Syntax errors in policy.
status code: 400, request id: 5d766e02-392b-11e9-b9bc-f57a45e4467fc
creamy-potato-29402
02/25/2019, 6:46 PM@billions-lock-73409 policy documents are weird, the fields can’t be outputs for $REASONS
creamy-potato-29402
02/25/2019, 6:47 PMCan you paste, the code? I can show you how to fix it.
b
billions-lock-73409
02/25/2019, 7:23 PMsure,
Copy code
const rolePolicy = new aws.iam.RolePolicy(
'probot_task_policy',
{
role: role,
policy: JSON.stringify({
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: [
'kms:ListKeys',
'kms:ListAliases',
'kms:Describe*',
'kms:Decrypt',
],
Resource: [paramStoreKms.arn],
},
{
Effect: 'Allow',
Action: 'ssm:GetParameters',
Resource: [
`arn:aws:ssm:*:${config.require(
'accountId'
)}:parameter/secrets_probot_scanner/*`,
],
},
],
}),
},
{ parent: role }
);billions-lock-73409
02/25/2019, 7:23 PMparamStoreKmsbillions-lock-73409
02/25/2019, 7:27 PMcould the json string be the result of an apply?
c
creamy-potato-29402
02/25/2019, 8:00 PM@billions-lock-73409 you probably want something like
policy: paramStoreKms.arn.apply(arn => JSON.stringify({ ... })creamy-potato-29402
02/25/2019, 8:00 PMif that makes sense.
b
billions-lock-73409
02/25/2019, 8:01 PMyeah it does, I’ll give it a go, thanks!
billions-lock-73409
02/25/2019, 8:06 PMworked perfectly, thanks a bunch 👍
billions-lock-73409
02/25/2019, 8:07 PMif I needed multiple Outputs i can use pulumi.all right?
billions-lock-73409
02/25/2019, 8:07 PMto wrap them in a promise like that
c
creamy-potato-29402
02/25/2019, 8:07 PMyeah
b
billions-lock-73409
02/25/2019, 8:25 PMawesome 👍
4 Views