https://pulumi.com logo
#general
Title
# general
c

calm-quill-21760

03/05/2020, 1:14 AM
I'm trying to identify what the "policy" object of aws.kms.Key should look like. It appears to want JSON (error: "policy" contains an invalid JSON: invalid character 'a' looking for beginning of value), but all of the options I've tried (including ones from AWS' documentation) produce errors either in my IDE or when I run pulumi up (error: "policy must be a single value, not a map"). Where can I find an example of syntax the policy object this item is expecting?
Maybe try JSON.stringify(…) against the JSON policy you’re trying to use?
s

swift-painter-31084

03/05/2020, 4:00 AM
I went down the road of trying to use straight JSON but Pulumi makes it way easier. Here's an example:
Copy code
const policy = new aws.iam.Policy(
			`${name}-secret-reader`,
			{
				path: `/secrets/${name}`,
				policy: {
					Version: "2012-10-17",
					Statement: [
						{
							Action: ["ssm:getParameter"],
							Effect: "Allow",
							Resource: parameterStore.arn
						}
					]
				}
			}
		);
Instead of trying to make a correctly formatted JSON document that validates as IAM policy, Pulumi gives you properties to work with just like other resources, and gives you some intellisense against known types (like I can ctrl+shift in VsCode and get the valid strings for Version ie. "2012-10-17"
c

calm-quill-21760

03/05/2020, 9:07 PM
Thanks for the suggestions. @swift-painter-31084 I did try to use an IAM policy, but I get "MalformedPolicyDocumentException: Policy contains a statement with no principal"
Which is really weird since IAM policies don't allow principals.
@faint-table-42725 JSON.stringify likewise returns "MalformedPolicyDocumentException"
Copy code
const policy = {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Principal": [
                        {
                            "AWS": "*"
                        }
                    ],
                    "Effect": "Allow",
                    "Action": [
                        "kms:*"
                    ],
                    "Resource": "*"
                }
            ]
        };
@faint-table-42725 the JSON.stringify() turned out to be the trick combined with making sure the policy has an "Id" (missing from the example I previously posted). Thanks to all!
8 Views