Hi. I am trying to create an acs policy for a service, and I need to give it access to a role I am creating also in the same pulumi template. How can I make it so that when creating a policy it uses the ARN of an element?

s3Bucket, err := s3.NewBucket(ctx, "demo", &s3.BucketArgs{})
		iam.NewPolicy(ctx, "demo", &iam.PolicyArgs{
			Policy: pulumi.Sprintf(`{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": s3Bucket.ARN
        }
    ]
}`),

try:

s3Bucket, err := s3.NewBucket(ctx, "demo", &s3.BucketArgs{})
		iam.NewPolicy(ctx, "demo", &iam.PolicyArgs{
			Policy: pulumi.Sprintf(`{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": %s
        }
    ]
}`, s3Bucket.Arn),

I have tested it and it seems to be wrong,

policy := pulumi.JSONMarshal(map[string]interface{}{
			"Id":      "demo-policy",
			"Version": "2012-10-17",
			"Statement": []interface{}{
				map[string]interface{}{
					"Sid": "Enable IAM User Permissions",
					"Principal": map[string]interface{}{
						"AWS": pulumi.Sprintf("arn:aws:iam::%s:root", current.AccountId),
					},
					"Action": "ec2:*",
					"Effect": "Allow",
				},
			},
		})

you’re trying to interpolate an int as a string. use %d instead

Thanks!

I would highly suggest making use of iam.GetPolicyDocument instead of trying to format a string within your code.

I am testing it and the truth is that although for the example that is in the documentation I see it well, for simple things, I see that it is complicated in excess for some cases. In most of the times, you have to be always checking if an error has occurred, but if you do it in the JSON Marshall way, it wasn’t necessary.

Generally speaking you should be handling your errors if you didn't want to maybe golang wasn't the right choice.