https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# general
s
This message was deleted.
b
Copy code
async getAccountId() {
        const awsIdentity = await aws.getCallerIdentity({ async: true });
        const accountId = awsIdentity.accountId;
        return accountId;
    }
is the function Im trying to use to get the account ID, then I want to use it in a policy like:
Copy code
// IAM role
        var ecs_role_name = `${ecs_cluster_name}-role-main`;
        this.holder["ecs_role_name"] = ecs_role_name;
        let assume_policy_document: aws.iam.PolicyDocument = {
            Version: "2012-10-17",
            Statement: [
                {
                    Action: "sts:AssumeRole",
                    Principal: {
                        AWS: this.getAccountId().then((x) => x),
                    },
                    Effect: "Allow",
                    Sid: "",
                },
            ],
        };
i realize that the 
AWS
needs a full ARN but right now I keep getting things similar to:
Copy code
aws:iam:Role (prod-main-ecs-role-main):
    error: 1 error occurred:
        * Error creating IAM Role prod-main-ecs-role-main: MalformedPolicyDocument: Invalid principal in policy: "AWS":"arn:aws:iam::[object Promise]:root"
        status code: 400, request id: 3875e107-41d6-488d-be73-93a9794915a0
b
could you try returning awsIdentity then doing 
awsIdentity.accountId.apply(id => id)
b
you want something like:
Copy code
const identity = pulumi.output(aws.getCallerIdentity());
let policyDocument = identity.accountId.apply(id =>
{
    return {
        Version: "2012-10-17",
        Statement: [
            {
                Action: "sts:AssumeRole",
                Principal: {
                    AWS: id,
                },
                Effect: "Allow",
                Sid: "",
            },
        ],
    };
});
b
joshua with the better option 😉
b
excellent, thank you. i always get tripped up on these heh
b
checkout this in the docs: https://www.pulumi.com/docs/intro/concepts/inputs-outputs/ and then look for some examples of using the 
.get
methods in here: https://github.com/pulumi/examples
👍 1
b
after playing with this, getting stuck, and coming back to it, this was the final way I got this to work, not the easiest to figure out:
Copy code
const identity = pulumi.output(aws.getCallerIdentity());

        let role = new aws.iam.Role(ecs_role_name, {
            name: ecs_role_name,
            assumeRolePolicy: pulumi
                .output(
                    identity.accountId.apply((id) => {
                        return {
                            Version: "2012-10-17",
                            Statement: [
                                {
                                    Action: "sts:AssumeRole",
                                    Principal: {
                                        AWS: `arn:aws:iam::${id}:root`,
                                    },
                                    Effect: "Allow",
                                    Sid: "",
                                },
                            ],
                        };
                    })
                )
                .apply(JSON.stringify),
        });
god forbid now I would need 2 outputs to render in the same policy
thinking possibly interpolate i'll hold off for now
b
that is very odd to me - because 
.apply(...)
is just for transforming 
Output<T>
. So you apply an output, get a new output, and pass it to 
pulumi.output(...)
when it is already an output
but if it works, I guess
Copy code
identity.accountId.apply((id) => {
                        return {
                            Version: "2012-10-17",
                            Statement: [
                                {
                                    Action: "sts:AssumeRole",
                                    Principal: {
                                        AWS: `arn:aws:iam::${id}:root`,
                                    },
                                    Effect: "Allow",
                                    Sid: "",
                                },
                            ],
                        };
                    }).apply(JSON.stringify);
does this not work?
b
let me try, i thought I tried that, but let me check
yea, ok that does work.. i guess the 
pulumi.output()
is redundant
also, took me a bit to realize 
pulumi.output
is different than 
pulumi.Output
the latter being a type, I was trying to use it as a function messed me up some heh
I did figure out how to use 2 inputs though:
Copy code
let role = new aws.iam.Role(ecs_role_name, {
            name: ecs_role_name,
            assumeRolePolicy: pulumi
                .all([identity.accountId, identity.userId])
                .apply(([id, userId]) => {
                    return {
                        Version: "2012-10-17",
                        Statement: [
                            {
                                Action: "sts:AssumeRole",
                                Principal: {
                                    AWS: `arn:aws:iam::${id}:${userId}`,
                                },
                                Effect: "Allow",
                                Sid: "",
                            },
                        ],
                    };
                })
                .apply(JSON.stringify),
        });
thats not valid ARN obviously, but it did resolve correctly
b
yea! well I'm glad you figured out. I'm used to dotnet so there's definitely some small semantic differences to accomplish the same task that I tend to trip over so I'm glad you got it to work.
b
Thanks for your help!
🙌 1
43 Views
Open in Slack
PreviousNext
Powered by