I’d be very grateful for help in resolving both a bucket name AND a role arn in a BucketPolicy. My use case closely follows the example given here: https://www.pulumi.com/docs/aws/s3/ Except in the

function publicReadPolicyForBucket

I need access to both the name of the bucket which has just been created created, AND the arn of a role that has just been created. Specifically, my policy needs to look like this (the difference from the example is the

Principal

which in my case needs to interpolate the role, instead of just being

*

function publicReadPolicyForBucket(bucketName: string, roleName: string) {
    return JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: "`${role.arn}`",
            Action: [
                "s3:GetObject"
            ],
            Resource: [
                `arn:aws:s3:::${bucketName}/*` // policy refers to bucket name explicitly
            ]
        }]
    });
}

The error message I get recommends using the

bucket.bucket.apply()

pattern, but I can’t see how this extends to allowing me to interpolate both the bucket name and the role

Basically you cannot generate the JSON at the point in time you call your function.

Yes - so role is created using

const role = new aws.iam.Role()

Right - thank you. But doesn’t that just flip the problem around -I now have the role, but how do I get the bucket into that? do I need a nested bucket.bucket.apply within the `role.arn.apply``?

yes that would be one way to do it

Amazin g- thanks you so much for your help - super appreciated

you're welcome 🙂