Hi, does anyone have any tips how I can dynamically get the AWS account ID and pass it to a function to use to generate a JSON snippet?

Inside a pulumi script or elsewhere? In Typescript we do:

import * as aws from '@pulumi/aws'

const current = aws.getCallerIdentity({})
const accountId = current.then((current) => current.accountId)

Sorry, in pulumi. I've tried the top one, but it returns a Promise<string>, so when I pass it to the function and run pulumi up, I get [Promise: Object] instead of the account number...

oh yes we then use interpolation

const sqsQueueUrl = interpolate`<https://sqs>.${region}.<http://amazonaws.com/${accountId}/link-medmeme-migration-sqs-${env}|amazonaws.com/${accountId}/link-medmeme-migration-sqs-${env}>`

This is the separate function that account id is passed to:

export function setPolicyDocument(accountId: any): string {
  return `{
    \"Version\":\"2012-10-17\",
    \"Statement\": [
        {
            \"Effect\":\"Allow\",
            \"Principal\":{
                \"Federated\":\"arn:aws:iam::${accountId}:saml-provider/sgn.okta-emea.com\"
            },
            \"Action\":\"sts:AssumeRoleWithSAML\",
            \"Condition\": {
                \"StringEquals\":{
                    \"SAML:aud\":\"<https://signin.aws.amazon.com/saml>\"
                    }
                }
            }
        ]
    }`;
}

yep we do something similar, but use interpolate which resolves promises

accessPolicies: pulumi.interpolate`{
        "Statement": [
          {
            "Action": "es:*",
            "Effect": "Allow",
            "Principal": { "AWS": "${this.cognito.authenticatedRole.arn}" },
            "Resource": "arn:aws:es:${region}:${accountId}:domain/link-${env}-*/*"
          }
        ],
        "Version": "2012-10-17"
      }`,

keep getting this error, @damp-school-17708

pulumi:pulumi:Stack (Okta_AWS_Setup-dev):
    error: Running program 'C:\SGN_Patterns\Okta_AWS_Setup\application' failed with an unhandled exception:
    Error: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: could not validate provider configuration: 1 error occurred:
        * Invalid or unknown key

We do have a section in our Pulumi configs

config:
  aws:region: us-east-1

Maybe is that?

I am using AWS. Think i've sorted it. As per normal it was something simple, I had double quotes inside my pulumi.<stack>.yaml file. But the pulumi.interpolate also helped 🙂 Thank you kindly for your help.

Aside: there is the

aws.iam.PolicyDocument

class that creates the JSON for you. You don't need to do anything special, sometimes you can even avoid interpolation:

new aws.iam.Policy(name, {
  policy: {
    Version: "2012-10-17",
    Statement": [
        {
            Effect: "Allow",
            "Principal": { "AWS": this.cognito.authenticatedRole.arn },
            "Resource": pulumi.interpololate`arn:aws:es:${region}:${accountId}:domain/link-${env}-*/*`
        }
    ]
  } as aws.iam.PolicyDocument
  // ...
}

That looks cleaner, thank you @little-cartoon-10569

i would remove the

as aws.iam.PolicyDocument

casting since it removes type-safety in this scenario and is not necessary for it to compile

Yes, it was added to show where the class is in the code. It's best not to have it.