I'm trying to identify what the "policy" object of...
# generalc
calm-quill-21760
03/05/2020, 1:14 AMI'm trying to identify what the "policy" object of aws.kms.Key should look like. It appears to want JSON (error: "policy" contains an invalid JSON: invalid character 'a' looking for beginning of value), but all of the options I've tried (including ones from AWS' documentation) produce errors either in my IDE or when I run pulumi up (error: "policy must be a single value, not a map").
Where can I find an example of syntax the policy object this item is expecting?
f
faint-table-42725
03/05/2020, 1:36 AMfaint-table-42725
03/05/2020, 1:37 AMMaybe try JSON.stringify(…) against the JSON policy you’re trying to use?
s
swift-painter-31084
03/05/2020, 4:00 AMI went down the road of trying to use straight JSON but Pulumi makes it way easier. Here's an example:
Copy code
const policy = new aws.iam.Policy(
`${name}-secret-reader`,
{
path: `/secrets/${name}`,
policy: {
Version: "2012-10-17",
Statement: [
{
Action: ["ssm:getParameter"],
Effect: "Allow",
Resource: parameterStore.arn
}
]
}
}
);c
calm-quill-21760
03/05/2020, 9:07 PMThanks for the suggestions. @swift-painter-31084 I did try to use an IAM policy, but I get "MalformedPolicyDocumentException: Policy contains a statement with no principal"
calm-quill-21760
03/05/2020, 9:08 PMWhich is really weird since IAM policies don't allow principals.
calm-quill-21760
03/05/2020, 9:24 PM@faint-table-42725 JSON.stringify likewise returns "MalformedPolicyDocumentException"
Copy code
const policy = {
"Version": "2012-10-17",
"Statement": [
{
"Principal": [
{
"AWS": "*"
}
],
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": "*"
}
]
};calm-quill-21760
03/05/2020, 9:47 PM@faint-table-42725 the JSON.stringify() turned out to be the trick combined with making sure the policy has an "Id" (missing from the example I previously posted). Thanks to all!
25 Views