This message was deleted.

Can you share you’re current code 🙂

Here's the relevant sections - I created a generic

attach_policy

function to cut down on the boilerplate needed for this common pattern (which had no effect on the issue I'm having - it wasn't working before the refactor). Also, this is just one example. I have many other cases where I'm doing the same thing - trying to access the arn of other resources in a policy document - and they all throw the same error. Thanks!

import pulumi
from pulumi_aws import iam, kms, lambda_, kinesis, cloudwatch
from typing import List, Dict

ds_key = kms.Key("ds_key", 
    description="Kinesis Firehose Delivery Stream Key",
    policy=key_policy_doc.json,
    tags=tags
)

def attach_policy(
    *,
    role: type(iam.Role),
    name: str,
    description: str,
    path: str,
    depends_on: List = None,
    statements: List
    ):

    if depends_on:
        opts = pulumi.ResourceOptions(depends_on=depends_on)
    else:
        opts = pulumi.ResourceOptions()

    policy_doc = iam.get_policy_document(
        opts = opts,
        statements = statements
    )

    policy = iam.Policy(name,
        description=description,
        path=path,
        policy=policy_doc.json
    )

    policy_attachment = iam.RolePolicyAttachment(name + "Attach",
        policy_arn=policy.arn,
        role=role.id
    )

attach_policy(
    role = firehose_role,
    name = "firehosePolicy",
    description = "IAM policy for firehose",
    path = "/",
    depends_on=[ds_key],
    statements = [
    {
        "actions": [
            "kms:Decrypt",
            "kms:GenerateDataKey"
        ],
        "resources": [ds_key.arn.apply(lambda arn: f'{arn}')],
        "condition": [{
            "test": "StringEquals",
            "values": [f"s3.{aws_region}.<http://amazonaws.com|amazonaws.com>"],
            "variable": "kms:ViaService"
        }]
    }]
)

That’s actually what I would recommend! Apologies for not getting back to this sooner 🙂

Thanks for confirming