https://pulumi.com logo
#python
Title
# python
c

colossal-plastic-46140

07/16/2019, 4:18 PM
yea, I just changed some of the specifics, IE sanitized arns
w

white-balloon-205

07/16/2019, 4:23 PM
When I run that code I get:
Copy code
Exception: invocation of aws:iam/getPolicy:getPolicy returned an error: invoking aws:iam/getPolicy:getPolicy: Error reading IAM policy *:policy/policy_test: InvalidInput: ARN *:policy/policy_test is not valid.
That seems expected - it is not clear that it is legal to get a policy using a wildcard?
c

colossal-plastic-46140

07/16/2019, 4:24 PM
thats cause I didn't want to expose my real arn to this slack
w

white-balloon-205

07/16/2019, 4:24 PM
Ahh - got it!
c

colossal-plastic-46140

07/16/2019, 4:26 PM
The part that is confusing me the most is this
sys:1: RuntimeWarning: coroutine 'get_instance_profile' was never awaited
w

white-balloon-205

07/16/2019, 4:27 PM
Okay - I can reproduce this. I think that that warning is a symptom not that cause - that is - because there is a crash, the coroutine never gets awaited - not the other way round. But need to investigate the crash itself.
c

colossal-plastic-46140

07/16/2019, 4:30 PM
OK good to know i am not doing something wrong here
w

white-balloon-205

07/16/2019, 4:30 PM
Okay - so the problem is that
get_instance_profile
returns a
GetInstanceProfileResult
, not a string. And you need to pass a string (the name of the profile) to
RolePolicyAttachment
.
So this code works:
Copy code
import pulumi
from pulumi_aws import s3, ec2, iam

async def get_profile():
    instance_profile = await iam.get_instance_profile(name="webServerProfile-ad563fb")
    return instance_profile.name

async def get_policy(): 
    policy = await iam.get_policy(arn="arn:aws:iam::aws:policy/AdministratorAccess")
    return policy.arn

iam.RolePolicyAttachment(role=get_profile(),resource_name="policy_test",policy_arn=get_policy())
(actually - I take that back - that code leads to another issue...)
But the bigger point perhaps here is that you don't need these
get_
calls at all - you can just pass the same strings you used as inputs to the resource:
Copy code
import pulumi
from pulumi_aws import s3, ec2, iam

iam.RolePolicyAttachment(role="webServerProfile-ad563fb",resource_name="policy_test",policy_arn="arn:aws:iam::aws:policy/AdministratorAccess")
Now - there are a couple different bugs here though - I'll open those to track.
c

colossal-plastic-46140

07/16/2019, 4:34 PM
I appreciate it
my reasoning in doing the get was to get the pythonic object back for use in other parts of the code, but in this case, I totally get that the string would suffice