It seems simple enough to create an IAM policy in Pulumi a p

Question

It seems simple enough to create an IAM policy in Pulumi a policy to attach to an IAM User Group Role but I m finding it difficult to create a resource policy a policy to attach to an AWS resource external to IAM e g a KMS CMK

fierce-machine-21789 · Answer

For context I m following this AWS guide <https docs aws amazon com kms latest developerguide key policies html key policy default allow root enable iam>

fierce-machine-21789 · Answer

When I create a `PolicyDocument` that exactly mirrors those AWS examples including specifying the appropriate `Principal`s the output I get upon running `pulumi up` is ```error Plan apply failed Error creating IAM policy policy abcd123 MalformedPolicyDocument Policy document should not specify a principal ```

fierce-machine-21789 · Answer

It seems to think I m creating an IAM policy which does not need a Principal since the IAM entity it s being attached to is the Principal instead of a resource policy

white-balloon-205 · Answer

Could you share the relevant snippet of tour code

fierce-machine-21789 · Answer

Figured out that I can attach the PolicyDocument directly to the CMK resource instead of going `PolicyDocument` gt `Policy` gt `Policy policy` on the CMK resource and that fixed the Principals issue However now I m running into that common issue where I need to go from `Output lt T gt ` gt string stringified JSON in this case since I want to reference the `User arn`s managed by Pulumi in the PolicyDocument I m attaching to the CMK

fierce-machine-21789 · Answer

it works when I chain with ` apply ` but then everything that references that PolicyDocument also seems to have to exist within the asynchronous context of that ` apply ` which is very unfortunate