No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

No. You're building a string there, and `this.cloudwatchLog` is an output, so `this.cloudwatchLog.arn` is a lifted output.

Instead of building the JSON document yourself, build an aws.iam.PolicyDocument object. Then you can use the output in the expected way.

If you just get rid of the backticks, and change the JSON syntax to TS/JS syntax (remove the quotes around the keys), it should work. Maybe some capitalization issues, not sure.

It's definitely an issue trying to use template literals with the Pulumi Ouput&lt;string&gt; type which seems to be a pseudo promise, But I can't work out how else to do it, `PolicyDocument` looks to be the answer. I'm just trying to port what I had in Terraform to Pulumi and learning along the way. Thanks for the help.

```this.cloudwatchPolicy = new aws.iam.Policy(`${name}-can-log-to-cloudwatch`, {
        description: `Grants ${name} permission to write to Cloudwatch logs for monitoring`,
        policy: {
          "Version": "2012-10-17",
          "Statement": [
            {
                "Sid": `${snakeCaseName}CanLog`,
                "Effect": "Allow",
                "Action": [
                    "logs:PutLogEvents",
                    "logs:CreateLogStream",
                    "logs:CreateLogGroup"
                ],
                "Resource": this.cloudwatchLog.arn.apply((arn: string) =&gt; arn)
            }
          ]
        },
      }, { parent: this });```
For anyone else with this issue - this worked for me. And I think this is how it's done??

The policy object is a normal object, so you don't need to quote the keys.

And this is redundant: `this.cloudwatchLog.arn.apply((arn: string) =&gt; arn)`. Just use `this.cloudwatchLog.arn`

&gt; And this is redundant: `this.cloudwatchLog.arn.apply((arn: string) =&gt; arn)`. Just use `this.cloudwatchLog.arn`
I did try that and it failed. Error message said I should try this and it worked. Let me try it again.

```      this.cloudwatchPolicy = new aws.iam.Policy(`${name}-can-log-to-cloudwatch`, {
        description: `Grants ${name} permission to write to Cloudwatch logs for monitoring`,
        policy: {
          Version: "2012-10-17",
          Statement: [
            {
                Sid: `${snakeCaseName}CanLog`,
                Effect: "Allow",
                Action: [
                    "logs:PutLogEvents",
                    "logs:CreateLogStream",
                    "logs:CreateLogGroup"
                ],
                Resource: this.cloudwatchLog.arn //.apply((value: string) =&gt; value)
            }
          ]
        },
      }, { parent: this.vpcRole });```
And it works. I think my state got a little bit funky and might have caused the error last night. Thank you. :thank-you:

Also found this little gem hidden in the docs today for string interpolation...
```pulumi.interpolate`${myS3Bucket.arn}/*````
Which is good for making policies. Just if anyone else reads this before Slack deletes it.