brave-angle-33257
03/22/2021, 5:34 PMasync getAccountId() {
const awsIdentity = await aws.getCallerIdentity({ async: true });
const accountId = awsIdentity.accountId;
return accountId;
}
is the function Im trying to use to get the account ID, then I want to use it in a policy like:
// IAM role
var ecs_role_name = `${ecs_cluster_name}-role-main`;
this.holder["ecs_role_name"] = ecs_role_name;
let assume_policy_document: aws.iam.PolicyDocument = {
Version: "2012-10-17",
Statement: [
{
Action: "sts:AssumeRole",
Principal: {
AWS: this.getAccountId().then((x) => x),
},
Effect: "Allow",
Sid: "",
},
],
};
AWS
needs a full ARN but right now I keep getting things similar to:
aws:iam:Role (prod-main-ecs-role-main):
error: 1 error occurred:
* Error creating IAM Role prod-main-ecs-role-main: MalformedPolicyDocument: Invalid principal in policy: "AWS":"arn:aws:iam::[object Promise]:root"
status code: 400, request id: 3875e107-41d6-488d-be73-93a9794915a0
better-shampoo-48884
03/22/2021, 5:49 PMawsIdentity.accountId.apply(id => id)
bored-oyster-3147
03/22/2021, 5:49 PMconst identity = pulumi.output(aws.getCallerIdentity());
let policyDocument = identity.accountId.apply(id =>
{
return {
Version: "2012-10-17",
Statement: [
{
Action: "sts:AssumeRole",
Principal: {
AWS: id,
},
Effect: "Allow",
Sid: "",
},
],
};
});
better-shampoo-48884
03/22/2021, 5:49 PMbrave-angle-33257
03/22/2021, 5:50 PMbored-oyster-3147
03/22/2021, 5:50 PM.get
methods in here: https://github.com/pulumi/examplesbrave-angle-33257
03/25/2021, 8:10 PMconst identity = pulumi.output(aws.getCallerIdentity());
let role = new aws.iam.Role(ecs_role_name, {
name: ecs_role_name,
assumeRolePolicy: pulumi
.output(
identity.accountId.apply((id) => {
return {
Version: "2012-10-17",
Statement: [
{
Action: "sts:AssumeRole",
Principal: {
AWS: `arn:aws:iam::${id}:root`,
},
Effect: "Allow",
Sid: "",
},
],
};
})
)
.apply(JSON.stringify),
});
bored-oyster-3147
03/25/2021, 8:48 PM.apply(...)
is just for transforming Output<T>
. So you apply an output, get a new output, and pass it to pulumi.output(...)
when it is already an outputidentity.accountId.apply((id) => {
return {
Version: "2012-10-17",
Statement: [
{
Action: "sts:AssumeRole",
Principal: {
AWS: `arn:aws:iam::${id}:root`,
},
Effect: "Allow",
Sid: "",
},
],
};
}).apply(JSON.stringify);
does this not work?brave-angle-33257
03/25/2021, 9:25 PMpulumi.output()
is redundantpulumi.output
is different than pulumi.Output
the latter being a type, I was trying to use it as a function messed me up some hehlet role = new aws.iam.Role(ecs_role_name, {
name: ecs_role_name,
assumeRolePolicy: pulumi
.all([identity.accountId, identity.userId])
.apply(([id, userId]) => {
return {
Version: "2012-10-17",
Statement: [
{
Action: "sts:AssumeRole",
Principal: {
AWS: `arn:aws:iam::${id}:${userId}`,
},
Effect: "Allow",
Sid: "",
},
],
};
})
.apply(JSON.stringify),
});
bored-oyster-3147
03/25/2021, 9:33 PMbrave-angle-33257
03/26/2021, 2:46 PM