Help with AWS IAM policies. Hi everyone! I’m a bit stuck with IAM policy creation using pulumi AWS. The policy document as described here should be a string, however, if you want to restrict it to a specific resource you created before you need to convert resource ARN to a string. I looked into the examples in the doc but they are not very helpful with that. What are the options here to pass the resource ARN you created to a policy document (or in other words convert

pulumi.StringOutput

to

string

)?

You can wrap it into a helper function (or a lambda), like this

def _make_ecr_policy(repo_arn: str) -> str:
        return json.dumps(
            {
                "Version": "2012-10-17",
                "Statement": [

and then

aws.iam.Policy(
        "repo_access",
        name=f"{pulumi.get_project()}-repo-access",
        policy=repo.arn.apply(_make_ecr_policy),
        opts=pulumi.ResourceOptions(parent=repo),
    )

or use https://www.pulumi.com/registry/packages/aws/api-docs/iam/getpolicydocument/

Yeah, I can see how it can be used with python, but in the case of golang it seems more complicated and require messing around with reflection because applyT return type is pulumi.StringOutput (I cannot just say return type is string as one of examples in the doc shows).

I have it ugly! Have no idea how canonical it is but this works https://pastebin.com/Bkasv0cq

Thank you, @fierce-ability-58936! I probably wanted to do it with a slightly different approach. What I’ve learned so far is that I need a bit of a shift in thinking to be more pulumi idiomatic 🙂

Yeah, I'll probably try https://www.pulumi.com/registry/packages/aws/api-docs/iam/getpolicydocument/ next time