I m trying to write a iam policy which depends on an iam rol Pulumi Community #general

I'm trying to write a iam policy which depends on ...

damp-book-35965

03/26/2019, 12:06 AM

I'm trying to write a iam policy which depends on an iam role But I'm unable to reference it in the policy doc like:

Copy code

const iamRole = new aws.iam.Role(clusterName + "-server", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Action: "sts:AssumeRole",
            Principal: {
                "AWS": cluster.instanceRole <- this is type=pulumi.Output<aws.iam.Role>;
            },
            Effect: "Allow"
        }]
    })
});

creamy-potato-29402

03/26/2019, 12:07 AM

@damp-book-35965 this is a trick part of the API, you want

cluster.instanceRole.apply(ir => JSON.stringify(...))

✔️ 1

creamy-potato-29402

03/26/2019, 12:07 AM

where

assumeRolePolicy

goes.

creamy-potato-29402

03/26/2019, 12:08 AM

that field is really supposed to be a string, but we’ve added some nice sugar to make it a JSON object — the downside is that you can’t use

Input

in there.

creamy-potato-29402

03/26/2019, 12:08 AM

if that makes sense.

damp-book-35965

03/26/2019, 12:10 AM

Kind of..still trying to grok it fully with using pulumi .Output

damp-book-35965

03/26/2019, 12:11 AM

But basically this makes the instance role available to use within the apply() function

creamy-potato-29402

03/26/2019, 12:11 AM

ok so here’s what’s happening.

creamy-potato-29402

03/26/2019, 12:12 AM

assumeRolePolicy

in the AWS API is actually type

string

right? So

new aws.iam.Role

actually converts the JSON you provide into`string`. It does this by calling

toString

, I believe.

creamy-potato-29402

03/26/2019, 12:14 AM

So, what this means is:

creamy-potato-29402

03/26/2019, 12:15 AM

oh wait

creamy-potato-29402

03/26/2019, 12:15 AM

no it doesn’t actually even do that, YOU have to do that.

damp-book-35965

03/26/2019, 12:16 AM

toString is not supported

creamy-potato-29402

03/26/2019, 12:16 AM

So the reason

cluster.instanceRole

doesn’t work inside

JSON.stringify

is actually because

Output

is basically a promise.

creamy-potato-29402

03/26/2019, 12:16 AM

So, in order to generate the correct string,

JSON.stringfy

has to be run inside the

.apply

—

damp-book-35965

03/26/2019, 12:17 AM

Yes got that

creamy-potato-29402

03/26/2019, 12:17 AM

otherwise you’re just `toString`’ing the promise. But you don’t want that. You want the value inside the promise once it resolves

damp-book-35965

03/26/2019, 12:18 AM

Yes..makes sense..I think i got a bit confused because in some places it is supported to directly use the pulumi.Output<> but not everywhere

creamy-potato-29402

03/26/2019, 12:19 AM

yeah

creamy-potato-29402

03/26/2019, 12:19 AM

It’s hard to grok, we’re actively working on simplifying. 🙂

👍 1

damp-book-35965

03/26/2019, 12:19 AM

Have to say it's beautiful when it works

Open in Slack

Previous Next