我有一个运行 Apache Flink 1.13 项目的 AWS Kinesis 数据应用程序。我在附加到 IAM 角色的策略中提供了以下访问权限。我已验证 IAM 角色在 AWS 控制台中附加了此策略。
Kinesis 应用程序的 AWS 角色(在 Terraform 中):
resource "aws_iam_role" "kinesis_application_role" {
name = "dev-kinesis_application_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
"Service" : "kinesisanalytics.amazonaws.com"
}
},
]
})
政策允许
cloudwatch:PutMetricData
行动。
{
"Action": [
"cloudwatch:PutMetricData"
],
"Effect": "Allow",
"Resource": [
"arn:aws:cloudwatch:us-east-1:<aws_account_id>:metric/*",
"arn:aws:cloudwatch:us-east-1:<aws_account_id>:alarm:*",
"arn:aws:cloudwatch:us-east-1:<aws_account_id>:rule/*",
"arn:aws:cloudwatch:us-east-1:<aws_account_id>:dashboard/*",
"arn:aws:cloudwatch:us-east-1:<aws_account_id>:log-group:/*"
],
"Sid": "Cloudwatch"
}
但是我在 Cloudwatch 日志中收到错误
not authorized to perform: cloudwatch:PutMetricData
。此操作还需要哪些其他访问权限?
[error] [AWS Log: ERROR](AWSClient)HTTP response code: 403\nException name: AccessDenied
Error message: User: arn:aws:sts::<user id>:assumed-role/dev-kinesis_application_role/kiam-kiam
is not authorized to perform: cloudwatch:PutMetricData
because no identity-based policy allows the cloudwatch:PutMetricData action
和警告:
[2023-04-05 17:51:13.897017] [0x000002d4][0x00007fa9e10f2700] [warning] [AWS Log: WARN](AWSErrorMarshaller)
Encountered AWSError 'AccessDenied': User: arn:aws:sts::008819713222:assumed-role/dev-kinesis_application_role/kiam-kiam
is not authorized to perform: cloudwatch:PutMetricData
because no identity-based policy allows the
cloudwatch:PutMetricData action