Hello! First time engaging in any kind of slack community. I’m following a AWS guide about cross-account role access for Amazon ECS tasks (see https://aws.amazon.com/premiumsupport/knowledge-center/ecs-iam-role-another-account/). It tells me to “modify the trust policy of the IAM role in the destination account”. However, I can’t find a way of modifying an existing role’s trust relationship via Pulumi. When creating a role I can provide the “AssumeRolePolicy” argument, but I can’t find a way to modify the role when it already exists. Would anyone be so helpful and point me in the right direction on how to proceed here? For context I’m writing Pulumi in Go.

Sounds like you might need to import the existing IAM role and policy, then you can amend it and apply it. https://www.pulumi.com/registry/packages/aws/api-docs/iam/role/#import

Hi, thanks for the feedback! I’m quite new to pulumi and so doesn’t grasp all concepts just yet. I want to update the trust relationship of an already existing role (that was not created by pulumi). I’m confused about the API not providing any functions for updating iam resources. I can only see “GetX”, “LookupX” and “NewX” functions, but not any functions indicating updates of iam resources. I’m thinking “AWS allows us to update trust relationships, so why shouldn’t pulumi?“. I’m sure pulumi allows me to do this, but I don’t know how…

So Pulumi will have no knowledge of the IAM role, as pulumi didnt create it, similar to terraform. If you import the existing resource to your stack, you can then modify it as desired with pulumi

Thank you so much for your response! Very helpful

no problem! feel free to message me if you need anything else 🙂