I’d be very grateful for help in resolving both a ...
# general
I’d be very grateful for help in resolving both a bucket name AND a role arn in a BucketPolicy. My use case closely follows the example given here: https://www.pulumi.com/docs/aws/s3/ Except in the
function publicReadPolicyForBucket
I need access to both the name of the bucket which has just been created created, AND the arn of a role that has just been created. Specifically, my policy needs to look like this (the difference from the example is the
which in my case needs to interpolate the role, instead of just being
Copy code
function publicReadPolicyForBucket(bucketName: string, roleName: string) {
    return JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: "`${role.arn}`",
            Action: [
            Resource: [
                `arn:aws:s3:::${bucketName}/*` // policy refers to bucket name explicitly
The error message I get recommends using the
pattern, but I can’t see how this extends to allowing me to interpolate both the bucket name and the role
Basically you cannot generate the JSON at the point in time you call your function.
But you can create an output that generates the JSON.
Copy code
const jsonOutput = unresolvedInputs.apply((resolvedInputs) => createJson(resolvedInputs))
from your snippet it's not clear which variables are outputs. if it is
then it would be:
Yes - so role is created using
const role = new aws.iam.Role()
Copy code
policy = role.arn.apply(arn => JSON.stringify({ ... , Principal: arn }))
Right - thank you. But doesn’t that just flip the problem around -I now have the role, but how do I get the bucket into that? do I need a nested bucket.bucket.apply within the `role.arn.apply``?
yes that would be one way to do it
but you can also resolve multiple outputs at once:
pulumi.output({ bucket, arn: role.arn}).apply(({bucket, arn}) => ...));
👍 1
Amazin g- thanks you so much for your help - super appreciated
you're welcome 🙂
👍 1