英文:
AWS Unable to perform action on cli
问题
I am able to perform some action (specifically use cloudwatch insight and run a query) on aws console. But I am unable to do the same using aws cli or boto3 (aws logs start-query). It gives AccessDeniedError. However I am able to run other commands like aws s3 ls. Isn't it the case that permissions for both console and cli are same?
Exact error is
An error occurred (AccessDeniedException) when calling the StartQuery operation: User: arn:aws:sts::----:assumed-role/---- is not authorized to perform: logs:StartQuery on resource: arn:aws:logs:----
How should I debug this issue.
英文:
I am able to perform some action (specifically use cloudwatch insight and run a query) on aws console. But I am unable to do the same using aws cli or boto3 (aws logs start-query). It gives AccessDeniedError. However I am able to run other commands like aws s3 ls. Isn't it the case that permissions for both console and cli are same ?
Exact error is
An error occurred (AccessDeniedException) when calling the StartQuery operation: User: arn:aws:sts::----:assumed-role/---- is not authorized to perform: logs:StartQuery on resource: arn:aws:logs:----
How should I debug this issue.
答案1
得分: 1
这意味着您正在使用的CLI用户没有执行 logs:StartQuery 操作的权限。
为了测试目的,您可以将预定义策略 CloudWatchLogsFullAccess 授予CLI用户。有关更精细的权限检查,请查看:CloudWatch Logs权限参考。
英文:
It means the cli user you are using does not have permission for logs:StartQuery operation.
For testing purposes you can grant the predefined policy CloudWatchLogsFullAccess to cli user. For more fine-grained permission check: CloudWatch Logs Permissions Reference
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论