我遇到了一些我无法弄清楚的权限问题。
步骤函数部署失败,因为错误:
Error: AccessDeniedException: The state machine IAM Role is not authorized to access the Log Destination
10:12:19 status code: 400, request id: ff46f8c0-fcc8-4190-ba6a-13f5ab617c78
10:12:19
10:12:19 on step_function.tf line 1, in resource "aws_sfn_state_machine" "oss_integration_data_process_sf":
10:12:19 1: resource "aws_sfn_state_machine" "os_int_data_process_sf" {
有趣的是,它只发生在一个 lambda 上,而所有 lambda 都有相同的前缀,并且我们有步骤函数授予权限:
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:AssociateKmsKey",
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:us-east-1:XXXX:log-group:*/*"
],
"Effect": "Allow"
}```
I can run the lambda after deployment and see CW log stream with lambda name is getting created.
我遇到了同样的问题,并通过更新角色策略解决,如下所述: https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html
通常 PutLogEvents、CreateLogStream 对于 Lambda 等资源来说应该足够了,但显然 Step Function 还需要其他日志策略。
您可以在资源中使用通配符
* {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:CreateLogStream",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": "*"
}
]
}
如果要遵循最小权限访问原则,您需要检查有关 CloudWatch 权限的一些要点:
LogDeliveryResourcePolicy* - Effect: Allow
Action:
- 'logs:CreateLogDelivery'
- 'logs:GetLogDelivery'
- 'logs:UpdateLogDelivery'
- 'logs:DeleteLogDelivery'
- 'logs:ListLogDeliveries'
- 'logs:PutResourcePolicy'
- 'logs:DescribeResourcePolicies'
Resource: '*'
PutLogEventslog-stream* - Effect: Allow
Action:
- 'logs:PutLogEvents'
Resource: 'arn:aws:logs:${Region}:${Account}:log-group:${LogGroupName}:log-stream:${LogStreamName}
Destinationdestination* - Effect: Allow
Action:
- 'logs:PutDestination'
- 'logs:PutDestinationPolicy'
Resource: 'arn:aws:logs:${Region}:${Account}:log-group:${LogGroupName}:destination:${DestinationName}'
PutSubscriptionFilterlog-groupdestination*有关 CloudWatch Logs 操作和权限的更多信息,请参阅此处:
我在使用cloudformation模板时遇到了同样的错误
The state machine IAM Role is not authorized to access the Log DestinationCloudWatchLogsLogGroup所以我更新了它以使用下面的语法,一切都有效。
StateMachine:
Type: AWS::Serverless::StateMachine
DependsOn:
- LogGroup
- CustomRole
Properties:
Name: StateMachine
Role: !Sub arn:aws:iam::${AWS::AccountId}:role/CustomRole
Logging:
Destinations:
- CloudWatchLogsLogGroup:
LogGroupArn: !GetAtt LogGroup.Arn
IncludeExecutionData: true
Level: ALL
尽管如此,我认为 AWS 文档在这个主题上非常令人困惑。
除了Tyn的回答,我还需要:
statement {
effect = "Allow"
actions = [ "xray:PutTraceSegments"
, "xray:PutTelemetryRecords"
, "xray:GetSamplingRules"
, "xray:GetSamplingTargets"
]
resources = [ "*"
]
}