Why does defining IAM policies think this is an error ``` Ty

Question

Why does defining IAM policies think this is an error ``` Types of property Version are incompatible Type string is not assignable to type Input lt 2008 10 17 | 2012 10 17 gt ts 2322 ```

broad-dog-22463 · Answer

The string needsa to be 1 of those 2 values

modern-bear-85657 · Answer

My string is one of those values But it s not an `Input` object I don t see why that s necessary

broad-dog-22463 · Answer

Can you show me your IAM policy definition

modern-bear-85657 · Answer

``` const policy = new aws iam Policy bucket policy name description policy Version 2012 10 17 Statement ```

stocky-spoon-28903 · Answer

Hmm that should be ok What version of the library are you using

modern-bear-85657 · Answer

Here s my package lock ``` pulumi aws version 1 6 0 resolved https nexus internal repository npm all pulumi aws aws 1 6 0 tgz integrity sha512 zEqTtMpFoDJwGhhA+CIiSto6shURsCCjbKAIZLGRnlCbx4f5LQR0eZjXoXizF86YwTYj5oNV+fzEi zVYWtBDQ== requires pulumi pulumi ^1 0 0 aws sdk ^2 0 0 builtin modules 3 0 0 mime ^2 0 0 read package tree ^5 2 1 resolve ^1 7 1 ```

modern-bear-85657 · Answer

< stocky spoon 28903> < broad dog 22463> Any updates

modern-bear-85657 · Answer

< stocky spoon 28903> < broad dog 22463> crickets

broad-dog-22463 · Answer

Hi < modern bear 85657> apologies it s 2339 here so I am off my machine right now I will try and recreatethis tomorrow can you post me a sample of the IAM Policy that I can recreate this with

stocky-spoon-28903 · Answer

Yes the policy is fine so a repro with context is the only way forward here

modern-bear-85657 · Answer

``` Build an IAM Policy to access the bucket const policy = new aws iam Policy bucket policy name pulumi interpolate `demo s3 $ envConfig account name ` description S3 bucket access policy Version 2012 10 17 Statement Action s3 GetObject Effect Allow Resource pulumi interpolate `$ bucket arn ` Principal devRole arn ```

modern-bear-85657 · Answer

< broad dog 22463> < stocky spoon 28903> ping

stocky-spoon-28903 · Answer

OK I see the issue here The following gives the same error message you were seeing

stocky-spoon-28903 · Answer

``` import as pulumi from pulumi pulumi import as aws from pulumi aws import as awsx from pulumi awsx const bucket = new aws s3 Bucket my bucket const account name = pulumi output test const arn = pulumi output Build an IAM Policy to access the bucket const policy = new aws iam Policy bucket policy name pulumi interpolate `demo s3 $ account name ` description S3 bucket access policy Version 2012 10 17 Statement Action s3 GetObject Effect Allow Resource pulumi interpolate `$ bucket arn ` Principal arn Export the name of the bucket export const bucketName = bucket id ```

stocky-spoon-28903 · Answer

IMO this is a very unhelpful message from the typescript compiler and is because you are using an output as the `Principal`

stocky-spoon-28903 · Answer

The issue is that in this case there is no type of `Principal` where `Output<string>` in `PolicyDocument` is valid

stocky-spoon-28903 · Answer

That said I m seeing something similar when doing this the old way of using `pulumi all apply ` also

stocky-spoon-28903 · Answer

Actually just found the issue the error did not help though

stocky-spoon-28903 · Answer

An IAM Policy like that cannot have a `Principal` because the Principal is the thing it is attached to

stocky-spoon-28903 · Answer

So it s in fact not a valid `PolicyDocument` just not for the reason it first suggests

stocky-spoon-28903 · Answer

``` Build an IAM Policy to access the bucket const policy = new aws iam Policy bucket policy name pulumi interpolate`demo s3 $ account name ` description S3 bucket access policy pulumi output Version 2012 10 17 Statement Action s3 GetObject Effect Allow Resource `$ bucket arn ` ```

modern-bear-85657 · Answer

Thanks < stocky spoon 28903> That s just what I needed