https://pulumi.com logo
Powered by
Title
r

rich-branch-48115

01/08/2023, 1:56 PM
Hey everyone 🙂 I'm trying to create 
pulumi_aws.iam.Role
that it's assume_role_policy uses an 
output[str]
value in the json. 
def _create_iam_role_with_policies(
        self,
        role_name: str,
        policies_arns: list[str],
        client_name: str,
        is_authenticated: bool,
        identity_pool: pulumi_aws.cognito.IdentityPool,
    ):
        role = pulumi_aws.iam.Role(
            resource_name=f"{role_name}",
            name=role_name,
            assume_role_policy=identity_pool.id.apply(
                lambda id: f"""{{
                    "Version": "2012-10-17",
                    "Statement": [
                        {{
                                "Effect": "Allow",
                                "Principal": {{"Federated": "<http://cognito-identity.amazonaws.com|cognito-identity.amazonaws.com>"}},
                                "Action": "sts:AssumeRoleWithWebIdentity",
                                "Condition": {{
                                        "StringEquals": {{
                                                "<http://cognito-identity.amazonaws.com:aud|cognito-identity.amazonaws.com:aud>": "{id}"
                                            }},
                                        "ForAnyValue:StringLike": {{
                                                "<http://cognito-identity.amazonaws.com:amr|cognito-identity.amazonaws.com:amr>": {"authenticated" if is_authenticated else "unauthenticated"}
                                            }}
                                    }}
                            }}
                    ]
                }}"""
            ),
            tags={"client-id": client_name},
            opts=pulumi.ResourceOptions(depends_on=[identity_pool]),
        )
I'm getting an error for an invalid json, I guess that it relates to the usage of an 
output[str]
within 
assume_role_policy
that uses the identity_pool_id. The error I'm getting is: 
aws:iam/role:Role resource 'my_random_name' has a problem: "assume_role_policy" contains an invalid JSON: invalid character 'a' looking for beginning of value. Examine values at 'Role.AssumeRolePolicy'.
Is there a way to use 
output[str]
in 
assume_role_policy
?
b

billowy-army-68599

01/08/2023, 3:10 PM
Yes, you have to use an apply
s

stocky-restaurant-98004

01/09/2023, 2:31 PM
Example: 
bucket_policy = aws.s3.BucketPolicy(
    "my-website-bucket-policy",
    bucket=bucket.id,
    policy=bucket.arn.apply(
        lambda arn: json.dumps({
            "Version": "2012-10-17",
            "Statement": [{
                "Effect": "Allow",
                "Principal": "*",
                "Action": [
                    "s3:GetObject"
                ],
                "Resource": [
                    f"{arn}/*"
                ]
            }]
        })),
)
#awsJoin Slack
Powered by