It seems simple enough to create an IAM policy in ...
# general
It seems simple enough to create an IAM policy in Pulumi (a policy to attach to an IAM User/Group/Role), but I'm finding it difficult to create a resource policy (a policy to attach to an AWS resource external to IAM, e.g., a KMS CMK).
🤔 1
When I create a
that exactly mirrors those AWS examples, including specifying the appropriate `Principal`s, the output I get upon running
pulumi up
Copy code
error: Plan apply failed: Error creating IAM policy policy-abcd123: MalformedPolicyDocument: Policy document should not specify a principal.
It seems to think I'm creating an IAM policy (which does not need a Principal, since the IAM entity it's being attached to is the Principal) instead of a resource policy
Could you share the relevant snippet of tour code?
Figured out that I can attach the PolicyDocument directly to the CMK resource instead of going
on the CMK resource, and that fixed the Principals issue. However now I'm running into that common issue where I need to go from
-> string (stringified JSON, in this case) since I want to reference the `User.arn`s managed by Pulumi in the PolicyDocument I'm attaching to the CMK
it works when I chain with
, but then everything that references that PolicyDocument also seems to have to exist within the asynchronous context of that
, which is very unfortunate