https://pulumi.com logo
Join Slack
Powered by
Anyone running into issues with iam.SamlProvider.I...
# python
c
Anyone running into issues with iam.SamlProvider.Id? In the docs it states it returns the arn, I also have tried, iam.SamlProvider.arn. The error is that is it an invalid/malformed Principal ID for the Federated Identity. EDIT: I assume the issue is that "federated_identity" is a class object instead of an actual string. Not sure how to get around this.
main.py
f
Where are you getting 
federated_identity
from.. Can you print out the value when you run to see what’s there?
c
If I print out pingOneSaml.id it returns a pulumi class. "class 'pulumi.output.Output'". However export obtains the string of the id.
Untitled
f
Right, that makes sense. Is the id that you receive when exporting the format you expect to work with this configuration?
c
yes. It returns the ARN of the SamlProvider.
Here is the converted json when I print out then entire json object. On the outputs of the pulumi stack I get the correct expected output from Id.
Untitled.txt
f
Can export the json object, then use it to hardcode the value to see if it’s a problem with the generation or just the formatting?
c
Are you saying export the json object of the variable "pingOneSaml.id"? Or are you saying grab the value from the json return?
f
Export the value of 
iam.stsAssumeFederatedPolicyJson(assume_role='sts:AssumeRoleWithSAML', federated_identity=pingOneSaml))
and then add a variable with the value of that hardcoded. Then use that variable instead of the function in the call here like so:
Copy code
aws.iam.Role('%s-s3-ListBucket-role' % p_env,name="ListBuckets-%s-role" % p_env,assume_role_policy=assume_role_policy_variable)
c
Ahh, I did try that already and same result. It doesen't seem to understand the reference of the pulumi.Output.output object.
f
You might need to return an output from the function there. Try this:
Copy code
def stsAssumeFederatedPolicyJson(assume_role, federated_identity):
    return federated_identity.id.apply( lambda id:
    policy_json={}
    statement=[
        {
            'Action': assume_role,
            'Effect': 'Allow',
            'Principal': {
                'Federated': str(id)
            }
        }
    ]
    policy_json['Version']='2012-10-17'
    policy_json['Statement']=statement
    return json.dumps(policy_json)
)
this is because when json.dumps is run, the value of 
federated_identity.id
is still an output, meaning it doesn’t have the value yet.
c
ahhh, that makes sense. I will give it a try.
👍 1
Cant seem to get it working. Ill have to look more into how the lambda should be working
@future-barista-68134 if I can't get this working, is there any reason why Pulumi adds random integers to the AWS Resource Name. For instance if I created an AWS IAM Identity Provider Named: "test", pulumi will name the actual AWS Resource "test-[enter random numbers]". If the name resource for SamlProvider wasn't acting as a name prefix, I could dynmically create the ARN of the IdentityProvider
f
Pulumi does autonaming by default but can be overridden using the 
name
parameter. See docs here: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming.
c
😅@future-barista-68134 sorry, I thought I was setting it the entire time. I would have just built it dynamically instead of trying to get it to read the id.
f
This is something that’s certainly different about Pulumi and commonly misunderstood 🙂
Were you able to get this working?
c
@future-barista-68134 yes I did get it working. I just dynamically created the ARN based on the resources parameter name.
f
Okay, great 👍
Open in Slack
PreviousNext
Powered by