https://pulumi.com logo
Title
m

modern-bear-85657

10/16/2019, 7:41 PM
Why does defining IAM policies think this is an error?
Types of property 'Version' are incompatible.
      Type 'string' is not assignable to type 'Input<"2008-10-17" | "2012-10-17">'.ts(2322)
b

broad-dog-22463

10/16/2019, 7:42 PM
The string needsa to be 1 of those 2 values
m

modern-bear-85657

10/16/2019, 7:48 PM
My string is one of those values. But it’s not an
Input
object. I don’t see why that’s necessary.
b

broad-dog-22463

10/16/2019, 8:18 PM
Can you show me your IAM policy definition?
m

modern-bear-85657

10/16/2019, 8:35 PM
const policy = new aws.iam.Policy('bucket-policy', {
    name: '...',
    description: '...',
    policy: {
        Version: '2012-10-17',
        Statement: [{/* ... */}]
    }
})
s

stocky-spoon-28903

10/17/2019, 9:33 AM
Hmm, that should be ok. What version of the library are you using?
m

modern-bear-85657

10/17/2019, 1:00 PM
Here’s my package.lock:
"@pulumi/aws": {
            "version": "1.6.0",
            "resolved": "https://{{ nexus.internal }}/repository/npm-all/@pulumi/aws/-/aws-1.6.0.tgz",
            "integrity": "sha512-zEqTtMpFoDJwGhhA+CIiSto6shURsCCjbKAIZLGRnlCbx4f5LQR0eZjXoXizF86YwTYj5oNV+fzEi/zVYWtBDQ==",
            "requires": {
                "@pulumi/pulumi": "^1.0.0",
                "aws-sdk": "^2.0.0",
                "builtin-modules": "3.0.0",
                "mime": "^2.0.0",
                "read-package-tree": "^5.2.1",
                "resolve": "^1.7.1"
            }
        },
@stocky-spoon-28903 @broad-dog-22463 Any updates?
@stocky-spoon-28903 @broad-dog-22463 crickets?
b

broad-dog-22463

10/21/2019, 8:39 PM
Hi @modern-bear-85657, apologies - it's 2339 here so I am off my machine right now - I will try and recreatethis tomorrow - can you post me a sample of the IAM Policy that I can recreate this with?
👍 1
s

stocky-spoon-28903

10/21/2019, 8:41 PM
Yes, the policy is fine so a repro with context is the only way forward here
m

modern-bear-85657

10/21/2019, 8:46 PM
// Build an IAM Policy to access the bucket
const policy = new aws.iam.Policy('bucket-policy', {
    name: pulumi.interpolate `demo-s3-${envConfig.account_name}`,
    description: 'S3 bucket access',
    policy: {
        Version: "2012-10-17",
        Statement: [
            {
                Action: "s3:GetObject",
                Effect: "Allow",
                Resource: pulumi.interpolate `${bucket.arn}/*`,
                Principal: devRole.arn
            }
        ]
    }
})
@broad-dog-22463 @stocky-spoon-28903 ping
s

stocky-spoon-28903

10/31/2019, 11:15 PM
OK I see the issue here. The following gives the same error message you were seeing:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

const bucket = new aws.s3.Bucket("my-bucket");

const account_name = pulumi.output("test")
const arn = pulumi.output("*");

// Build an IAM Policy to access the bucket
const policy = new aws.iam.Policy("bucket-policy", {
    name: pulumi.interpolate `demo-s3-${account_name}`,
    description: 'S3 bucket access',
    policy: {
        Version: "2012-10-17",
        Statement: [
            {
                Action: "s3:GetObject",
                Effect: "Allow",
                Resource: pulumi.interpolate `${bucket.arn}/*`,
                Principal: arn,
            }
        ]
    }
});

// Export the name of the bucket
export const bucketName = bucket.id;
IMO this is a very unhelpful message from the typescript compiler, and is because you are using an output as the
Principal
.
The issue is that in this case there is no type of
Principal
where
Output<string>
in
PolicyDocument
is valid.
That said, I’m seeing something similar when doing this the “old” way of using
pulumi.all(...).apply(...)
also.
Actually, just found the issue… the error did not help though!
An IAM Policy like that cannot have a
Principal
(because the Principal is the thing it is attached to)
So it’s in fact not a valid
PolicyDocument
, just not for the reason it first suggests
// Build an IAM Policy to access the bucket
const policy = new aws.iam.Policy("bucket-policy", {
    name: pulumi.interpolate`demo-s3-${account_name}`,
    description: 'S3 bucket access',
    policy: pulumi.output({
        Version: "2012-10-17",
        Statement: [
            {
                Action: "s3:GetObject",
                Effect: "Allow",
                Resource: `${bucket.arn}/*`,
            }
        ]
    })
});
m

modern-bear-85657

11/04/2019, 1:55 PM
Thanks, @stocky-spoon-28903! That’s just what I needed!