https://pulumi.com logo
#general
Title
# general
f

fierce-machine-21789

11/14/2019, 8:53 PM
It seems simple enough to create an IAM policy in Pulumi (a policy to attach to an IAM User/Group/Role), but I'm finding it difficult to create a resource policy (a policy to attach to an AWS resource external to IAM, e.g., a KMS CMK).
🤔 1
When I create a
PolicyDocument
that exactly mirrors those AWS examples, including specifying the appropriate `Principal`s, the output I get upon running
pulumi up
is
Copy code
error: Plan apply failed: Error creating IAM policy policy-abcd123: MalformedPolicyDocument: Policy document should not specify a principal.
It seems to think I'm creating an IAM policy (which does not need a Principal, since the IAM entity it's being attached to is the Principal) instead of a resource policy
w

white-balloon-205

11/14/2019, 9:00 PM
Could you share the relevant snippet of tour code?
f

fierce-machine-21789

11/14/2019, 9:05 PM
Figured out that I can attach the PolicyDocument directly to the CMK resource instead of going
PolicyDocument
->
Policy
->
Policy.policy
on the CMK resource, and that fixed the Principals issue. However now I'm running into that common issue where I need to go from
Output<T>
-> string (stringified JSON, in this case) since I want to reference the `User.arn`s managed by Pulumi in the PolicyDocument I'm attaching to the CMK
it works when I chain with
.apply()
, but then everything that references that PolicyDocument also seems to have to exist within the asynchronous context of that
.apply()
, which is very unfortunate
2 Views