https://pulumi.com logo
Join Slack
Powered by
Why does defining IAM policies think this is an er...
# typescript
m
Why does defining IAM policies think this is an error?
Copy code
Types of property 'Version' are incompatible.
      Type 'string' is not assignable to type 'Input<"2008-10-17" | "2012-10-17">'.ts(2322)
b
The string needsa to be 1 of those 2 values
m
My string is one of those values. But it’s not an 
Input
object. I don’t see why that’s necessary.
b
Can you show me your IAM policy definition?
m
Copy code
const policy = new aws.iam.Policy('bucket-policy', {
    name: '...',
    description: '...',
    policy: {
        Version: '2012-10-17',
        Statement: [{/* ... */}]
    }
})
s
Hmm, that should be ok. What version of the library are you using?
m
Here’s my package.lock:
Copy code
"@pulumi/aws": {
            "version": "1.6.0",
            "resolved": "https://{{ nexus.internal }}/repository/npm-all/@pulumi/aws/-/aws-1.6.0.tgz",
            "integrity": "sha512-zEqTtMpFoDJwGhhA+CIiSto6shURsCCjbKAIZLGRnlCbx4f5LQR0eZjXoXizF86YwTYj5oNV+fzEi/zVYWtBDQ==",
            "requires": {
                "@pulumi/pulumi": "^1.0.0",
                "aws-sdk": "^2.0.0",
                "builtin-modules": "3.0.0",
                "mime": "^2.0.0",
                "read-package-tree": "^5.2.1",
                "resolve": "^1.7.1"
            }
        },
@stocky-spoon-28903 @broad-dog-22463 Any updates?
@stocky-spoon-28903 @broad-dog-22463 crickets?
b
Hi @modern-bear-85657, apologies - it's 2339 here so I am off my machine right now - I will try and recreatethis tomorrow - can you post me a sample of the IAM Policy that I can recreate this with?
👍 1
s
Yes, the policy is fine so a repro with context is the only way forward here
m
Copy code
// Build an IAM Policy to access the bucket
const policy = new aws.iam.Policy('bucket-policy', {
    name: pulumi.interpolate `demo-s3-${envConfig.account_name}`,
    description: 'S3 bucket access',
    policy: {
        Version: "2012-10-17",
        Statement: [
            {
                Action: "s3:GetObject",
                Effect: "Allow",
                Resource: pulumi.interpolate `${bucket.arn}/*`,
                Principal: devRole.arn
            }
        ]
    }
})
@broad-dog-22463 @stocky-spoon-28903 ping
s
OK I see the issue here. The following gives the same error message you were seeing:
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

const bucket = new aws.s3.Bucket("my-bucket");

const account_name = pulumi.output("test")
const arn = pulumi.output("*");

// Build an IAM Policy to access the bucket
const policy = new aws.iam.Policy("bucket-policy", {
    name: pulumi.interpolate `demo-s3-${account_name}`,
    description: 'S3 bucket access',
    policy: {
        Version: "2012-10-17",
        Statement: [
            {
                Action: "s3:GetObject",
                Effect: "Allow",
                Resource: pulumi.interpolate `${bucket.arn}/*`,
                Principal: arn,
            }
        ]
    }
});

// Export the name of the bucket
export const bucketName = bucket.id;
IMO this is a very unhelpful message from the typescript compiler, and is because you are using an output as the 
Principal
.
The issue is that in this case there is no type of 
Principal
where 
Output<string>
in 
PolicyDocument
is valid.
That said, I’m seeing something similar when doing this the “old” way of using 
pulumi.all(...).apply(...)
also.
Actually, just found the issue… the error did not help though!
An IAM Policy like that cannot have a 
Principal
(because the Principal is the thing it is attached to)
So it’s in fact not a valid 
PolicyDocument
, just not for the reason it first suggests
Copy code
// Build an IAM Policy to access the bucket
const policy = new aws.iam.Policy("bucket-policy", {
    name: pulumi.interpolate`demo-s3-${account_name}`,
    description: 'S3 bucket access',
    policy: pulumi.output({
        Version: "2012-10-17",
        Statement: [
            {
                Action: "s3:GetObject",
                Effect: "Allow",
                Resource: `${bucket.arn}/*`,
            }
        ]
    })
});
m
Thanks, @stocky-spoon-28903! That’s just what I needed!
Open in Slack
PreviousNext
Powered by