英文:
Why can't I describe log streams but my function has required permissions
问题
我无法使用这段代码描述日志流。但是我已经为我的角色添加了描述它们的权限。可能的问题是什么?我已经进行了研究,根据我创建的角色,我应该能够执行以下操作:
- 创建日志组
- 创建日志流
- 描述日志流
- 放置日志事件
- 标记资源
- 从 SQS 队列接收消息
- 从 SQS 队列删除消息
- 获取队列属性
我没有与 SQS 操作相关的问题。唯一无法执行的是描述日志流操作。
英文:
I can't describe log streams using this code.
const response = await cloudWatchLogs
.describeLogStreams({
logGroupName,
logStreamNamePrefix: logStreamName,
})
.promise()
But I have added permissions to describe them in my role. What could be the problem? I have done my research and based on the role that I have created I should be able to do the following
- Create log groups
- Create log streams
- describe log streams
- put log events
- tag resources
- receive messages from sqs queue
- delete messages from sqs queue
- get queue attributes
I don't have problems with SQS actions. It's only describe log streams action that I can't do.
sqsLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: SQSLambdaRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
# note that these rights are needed if you want your function to be able to communicate with resources within your vpc
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
Policies:
- PolicyName: sqsLambdaPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow # note that these rights are given in the default policy and are required if you want logs out of your lambda(s)
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogStreams
- logs:PutLogEvents
- logs:TagResource
Resource:
- 'Fn::Join':
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'log-group:/aws/lambda/*:*:*'
- Effect: "Allow"
Action:
- sqs:ReceiveMessage
- sqs:DeleteMessage
- sqs:GetQueueAttributes
Resource: '*'
答案1
得分: 1
如在评论中讨论的那样,问题是由于日志组不在/aws/lambda路径下,这是策略在这里授予访问权限的原因:
Resource:
- 'Fn::Join':
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'log-group:/aws/lambda/*:*:*'
因此,要解决此问题,您需要更改策略以允许您的日志组具有的前缀。
英文:
As discussed in the comments, the issue was due to log group not being under /aws/lambda path, which is what policy was giving access to here:
Resource:
- 'Fn::Join':
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'log-group:/aws/lambda/*:*:*'
So to fix this you need to change policy to allow prefix that your log group has.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论