This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

11/14/2019, 8:53 PM

This message was deleted.

🤔 1

fierce-machine-21789

11/14/2019, 8:55 PM

For context, I'm following this AWS guide: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam

fierce-machine-21789

11/14/2019, 8:58 PM

When I create a

PolicyDocument

that exactly mirrors those AWS examples, including specifying the appropriate `Principal`s, the output I get upon running

pulumi up

Copy code

error: Plan apply failed: Error creating IAM policy policy-abcd123: MalformedPolicyDocument: Policy document should not specify a principal.

fierce-machine-21789

11/14/2019, 8:58 PM

It seems to think I'm creating an IAM policy (which does not need a Principal, since the IAM entity it's being attached to is the Principal) instead of a resource policy

white-balloon-205

11/14/2019, 9:00 PM

Could you share the relevant snippet of tour code?

fierce-machine-21789

11/14/2019, 11:13 PM

Figured out that I can attach the PolicyDocument directly to the CMK resource instead of going

PolicyDocument

Policy

Policy.policy

on the CMK resource, and that fixed the Principals issue. However now I'm running into that common issue where I need to go from

Output<T>

-> string (stringified JSON, in this case) since I want to reference the `User.arn`s managed by Pulumi in the PolicyDocument I'm attaching to the CMK

fierce-machine-21789

11/14/2019, 11:14 PM

it works when I chain with

.apply()

, but then everything that references that PolicyDocument also seems to have to exist within the asynchronous context of that

.apply()

, which is very unfortunate

70 Views

Open in Slack

Previous Next