我遇到了一些我无法弄清楚的权限问题。
步骤函数部署失败,因为错误:
Error: AccessDeniedException: The state machine IAM Role is not authorized to access the Log Destination
10:12:19 status code: 400, request id: ff46f8c0-fcc8-4190-ba6a-13f5ab617c78
10:12:19
10:12:19 on step_function.tf line 1, in resource "aws_sfn_state_machine" "oss_integration_data_process_sf":
10:12:19 1: resource "aws_sfn_state_machine" "os_int_data_process_sf" {
有趣的是,它只发生在一个 lambda 上,而所有 lambda 都有相同的前缀,并且我们有步骤函数授予权限:
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:AssociateKmsKey",
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:us-east-1:XXXX:log-group:*/*"
],
"Effect": "Allow"
}```
I can run the lambda after deployment and see CW log stream with lambda name is getting created.
我遇到了同样的问题,并通过更新角色策略解决,如下所述: https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html
通常 PutLogEvents、CreateLogStream 对于 Lambda 等资源来说应该足够了,但显然 Step Function 还需要其他日志策略。
您可以在资源中使用通配符
*
创建权限,您的权限问题将得到解决,如文档page所示。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogStream",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": "*"
}
]
}
如果要遵循最小权限访问原则,您需要检查有关 CloudWatch 权限的一些要点:
LogDelivery
和ResourcePolicy
操作不支持资源类型,因此它们必须在资源上使用通配符*
。 - Effect: Allow
Action:
- 'logs:CreateLogDelivery'
- 'logs:GetLogDelivery'
- 'logs:UpdateLogDelivery'
- 'logs:DeleteLogDelivery'
- 'logs:ListLogDeliveries'
- 'logs:PutResourcePolicy'
- 'logs:DescribeResourcePolicies'
Resource: '*'
PutLogEvents
动作位于log-stream*
级别,所以如果想限制,你需要遵循这样的操作: - Effect: Allow
Action:
- 'logs:PutLogEvents'
Resource: 'arn:aws:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:${LogStreamName}
Destination
相关的动作属于destination*
级别,所以如果想限制的话,需要遵循这样的操作: - Effect: Allow
Action:
- 'logs:PutDestination'
- 'logs:PutDestinationPolicy'
Resource: 'arn:aws:logs:${Region}:${Account}:log-group:${LogGroupName}:destination:${DestinationName}'
PutSubscriptionFilter
操作位于 log-group
和 destination*
级别。有关 CloudWatch Logs 操作和权限的更多信息,请参阅此处:
我在使用cloudformation模板时遇到了同样的错误
The state machine IAM Role is not authorized to access the Log Destination
,但实际问题是YAML字段CloudWatchLogsLogGroup
配置错误。
所以我更新了它以使用下面的语法,一切都有效。
StateMachine:
Type: AWS::Serverless::StateMachine
DependsOn:
- LogGroup
- CustomRole
Properties:
Name: StateMachine
Role: !Sub arn:aws:iam::${AWS::AccountId}:role/CustomRole
Logging:
Destinations:
- CloudWatchLogsLogGroup:
LogGroupArn: !GetAtt LogGroup.Arn
IncludeExecutionData: true
Level: ALL
尽管如此,我认为 AWS 文档在这个主题上非常令人困惑。
除了Tyn的回答,我还需要:
statement {
effect = "Allow"
actions = [ "xray:PutTraceSegments"
, "xray:PutTelemetryRecords"
, "xray:GetSamplingRules"
, "xray:GetSamplingTargets"
]
resources = [ "*"
]
}