Hi all. From the AWS console, it’s easy to create a new IAM Role with an AWS service as a trusted entity, without having to type in a trust policy document. However, I’m having trouble figuring out how to do this in Pulumi — every example has the trusted entities policy document as a string literal (into assumeRolePolicy). This is very undesirable, as it essentially requires that you create the Role by hand first, using the AWS console, so that you know what the Service name needs to be. Is there any way to just have Pulumi look this up automatically like the console does?

Aren't AWS Service names static strings? Why do you need to look anything up in the console? I presume AWS publishes a list of them somewhere, but this is what I usually use: https://gist.github.com/shortjared/4c1e3fe52bdfa47522cfe5b41e5d6f22

Thanks for the list! However, my hope was to avoid having to look up these names at all, and be able to discover them easily within Pulumi’s library (i.e., as a predefined constant or something).

Hmm... I'm not aware of anything like that. Seems like a good idea. At the rate AWS add new services, it'll probably need a lot of maintenance, but the most popular 20 services probably account for 99% of uses...