No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hey <@U026X4RCVNK>, This one feels familiar from vague memories.  Could you try?
```identifiers: [bitbucket.oidcProvider.arn.apply(arn =&gt; arn)],```
I’m afraid that’s my best guess right now.

<@UTE5PRG1Y> nope, it's still not a string :disappointed:.

Ah ok.  Sorry.  Better leave it to someone more capable. Can’t think why and don’t want to suggest casting which feels wrong for some reason. Good luck :crossed_fingers:

this seems to be working, but meh:
```    assumeRolePolicy: bitbucket.oidcProvider.arn.apply(
        providerArn =&gt; pulumi.all([bitbucket.oidcProvider.arn, bitbucket.oidcProvider.url]).apply(
            ([arn, url]) =&gt;
            aws.iam.getPolicyDocument({statements: [{
                actions: ["sts:AssumeRoleWithWebIdentity"],
                principals: [{
                    identifiers: [arn],
                    type: "Federated",
                }],
                conditions: [{
                    test: "StringLike",
                    variable: `${url.replace("https://", "")}:sub`,
                    values: ["..."],
                }],
            }]}).then(doc =&gt; doc.json)
        )
    )```

then the diff is useless:
```assumeRolePolicy   : output&lt;string&gt;```

try something like this
``` identifiers: [pulumi.interpolate`{bitbucket.oidcProvider.arn}`]```


<@U029GS77Q4S>’s right. `pulumi.interpolate` is your friend for these sorts of things when using JS/TS. So try:

```identifiers: [pulumi.interpolate`${bitbucket.oidcProvider.url.replace("https://", "")}:sub`]```


Oh I misread the error message. The problem is that `identifiers` doesn’t take an `Output&lt;string&gt;` . So yeah you will need to use an outer `apply` to get the plain string value. As for the string interpolation you are doing inside `variable` you could use `pulumi.interpolate` for such.

Untitled.ts

In this case you should cast to PolicyDocument, not use the `getPolicyDocument()` function.
(Code untested.. I'm particularly not confident in the LHS of the condition...)

This means that you don't need `apply()` to generate the document. You only need `apply()` to transform fields. Or in this case, `pulumi.interpolate`.

Yeah I guess what was the reason for using `aws.iam.getPolicyDocument` <@U026X4RCVNK>. If it was to simply construct a policy document that you can use with a `Policy` resource, you could just use the `aws.iam.PolicyDocument` type as <@U012UJTT55M> suggests. That is overall better than trying to encapsulate everything inside an `apply`.