为什么我无法描述日志流,但我的函数具有所需权限?

huangapple go评论65阅读模式
英文:

Why can't I describe log streams but my function has required permissions

问题

我无法使用这段代码描述日志流。但是我已经为我的角色添加了描述它们的权限。可能的问题是什么?我已经进行了研究,根据我创建的角色,我应该能够执行以下操作:

  1. 创建日志组
  2. 创建日志流
  3. 描述日志流
  4. 放置日志事件
  5. 标记资源
  6. 从 SQS 队列接收消息
  7. 从 SQS 队列删除消息
  8. 获取队列属性

我没有与 SQS 操作相关的问题。唯一无法执行的是描述日志流操作。

英文:

I can't describe log streams using this code.

 const response = await cloudWatchLogs
  .describeLogStreams({
    logGroupName,
    logStreamNamePrefix: logStreamName,
  })
  .promise()

But I have added permissions to describe them in my role. What could be the problem? I have done my research and based on the role that I have created I should be able to do the following

  1. Create log groups
  2. Create log streams
  3. describe log streams
  4. put log events
  5. tag resources
  6. receive messages from sqs queue
  7. delete messages from sqs queue
  8. get queue attributes

I don't have problems with SQS actions. It's only describe log streams action that I can't do.

sqsLambdaRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: SQSLambdaRole 
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action: sts:AssumeRole
        # note that these rights are needed if you want your function to be able to communicate with resources within your vpc
        ManagedPolicyArns:
          - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
        Policies:
          - PolicyName: sqsLambdaPolicy
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow # note that these rights are given in the default policy and are required if you want logs out of your lambda(s)
                  Action:
                    - logs:CreateLogGroup
                    - logs:CreateLogStream
                    - logs:DescribeLogStreams
                    - logs:PutLogEvents
                    - logs:TagResource
                  Resource:
                    - 'Fn::Join':
                      - ':'
                      -
                        - 'arn:aws:logs'
                        - Ref: 'AWS::Region'
                        - Ref: 'AWS::AccountId'
                        - 'log-group:/aws/lambda/*:*:*'
                -  Effect: "Allow"
                   Action:
                     - sqs:ReceiveMessage
                     - sqs:DeleteMessage
                     - sqs:GetQueueAttributes
                   Resource: '*'

答案1

得分: 1

如在评论中讨论的那样,问题是由于日志组不在/aws/lambda路径下,这是策略在这里授予访问权限的原因:

                  Resource:
                    - 'Fn::Join':
                      - ':'
                      -
                        - 'arn:aws:logs'
                        - Ref: 'AWS::Region'
                        - Ref: 'AWS::AccountId'
                        - 'log-group:/aws/lambda/*:*:*'

因此,要解决此问题,您需要更改策略以允许您的日志组具有的前缀。

英文:

As discussed in the comments, the issue was due to log group not being under /aws/lambda path, which is what policy was giving access to here:

                  Resource:
                    - 'Fn::Join':
                      - ':'
                      -
                        - 'arn:aws:logs'
                        - Ref: 'AWS::Region'
                        - Ref: 'AWS::AccountId'
                        - 'log-group:/aws/lambda/*:*:*'

So to fix this you need to change policy to allow prefix that your log group has.

huangapple
  • 本文由 发表于 2023年6月26日 13:05:21
  • 转载请务必保留本文链接:https://go.coder-hub.com/76553643.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定