For context, I'm following this AWS guide: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam

When I create a

PolicyDocument

that exactly mirrors those AWS examples, including specifying the appropriate `Principal`s, the output I get upon running

pulumi up

is

error: Plan apply failed: Error creating IAM policy policy-abcd123: MalformedPolicyDocument: Policy document should not specify a principal.

It seems to think I'm creating an IAM policy (which does not need a Principal, since the IAM entity it's being attached to is the Principal) instead of a resource policy

Figured out that I can attach the PolicyDocument directly to the CMK resource instead of going

PolicyDocument

->

Policy

->

Policy.policy

on the CMK resource, and that fixed the Principals issue. However now I'm running into that common issue where I need to go from

Output<T>

-> string (stringified JSON, in this case) since I want to reference the `User.arn`s managed by Pulumi in the PolicyDocument I'm attaching to the CMK

it works when I chain with

.apply()

, but then everything that references that PolicyDocument also seems to have to exist within the asynchronous context of that

.apply()

, which is very unfortunate