“AWS 无法在命令行上执行操作”

huangapple go评论68阅读模式
英文:

AWS Unable to perform action on cli

问题

I am able to perform some action (specifically use cloudwatch insight and run a query) on aws console. But I am unable to do the same using aws cli or boto3 (aws logs start-query). It gives AccessDeniedError. However I am able to run other commands like aws s3 ls. Isn't it the case that permissions for both console and cli are same?

Exact error is

An error occurred (AccessDeniedException) when calling the StartQuery operation: User: arn:aws:sts::----:assumed-role/---- is not authorized to perform: logs:StartQuery on resource: arn:aws:logs:----

How should I debug this issue.

英文:

I am able to perform some action (specifically use cloudwatch insight and run a query) on aws console. But I am unable to do the same using aws cli or boto3 (aws logs start-query). It gives AccessDeniedError. However I am able to run other commands like aws s3 ls. Isn't it the case that permissions for both console and cli are same ?

Exact error is

An error occurred (AccessDeniedException) when calling the StartQuery operation: User: arn:aws:sts::----:assumed-role/---- is not authorized to perform: logs:StartQuery on resource: arn:aws:logs:----

How should I debug this issue.

答案1

得分: 1

这意味着您正在使用的CLI用户没有执行 logs:StartQuery 操作的权限。

为了测试目的,您可以将预定义策略 CloudWatchLogsFullAccess 授予CLI用户。有关更精细的权限检查,请查看:CloudWatch Logs权限参考

英文:

It means the cli user you are using does not have permission for logs:StartQuery operation.

For testing purposes you can grant the predefined policy CloudWatchLogsFullAccess to cli user. For more fine-grained permission check: CloudWatch Logs Permissions Reference

huangapple
  • 本文由 发表于 2020年1月3日 22:02:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/59579904.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定