I am trying to query the AWS CloudWatch logs that are created by a Lambda Function. I have written a script to do this, which does the following:
aws logs start-query
Submit a query, with the appropriate time window and query string.
aws logs get-query-results
Return the log record pointer results from the query created in step (1).
aws logs get-log-record
Dereference the log record pointers from step (2) to get the log stream IDs.
aws logs get-log-events
Fetch the log events from the log streams found in step (3).
This works and now I'm trying to create a policy that will allow me to run all of the above without authentication. This is what I've come up with, going by the AWS CloudWatch Logs permissions reference:
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:StartQuery",
"logs:DescribeQueries",
"logs:GetQueryResults",
"logs:GetLogRecord"
],
"Resource": [
"arn:aws:logs:REGION:ACCOUNT:log-group:/aws/lambda/FUNCTION",
"arn:aws:logs:REGION:ACCOUNT:log-group:/aws/lambda/FUNCTION:log-stream:*"
]
}
Unfortunately, this causes my script to fail at the second step. I can successfully create a query, but when I try to fetch its results, I get:
An error occurred (AccessDeniedException) when calling the GetQueryResults operation: User with accountId: ACCOUNT is not authorized to perform GetQueryResults
What am I missing? Clearly GetQueryResults
is allowed, but it's still not working. What other actions do I need to allow for both step 2 and what follows to succeed?
It turns out that GetQueryResults
and GetLogRecords
should not be limited to a particular CloudWatch resource and instead applied to everything. The following fixed the problem:
[
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:StartQuery"
],
"Resource": [
"arn:aws:logs:REGION:ACCOUNT:log-group:/aws/lambda/FUNCTION",
"arn:aws:logs:REGION:ACCOUNT:log-group:/aws/lambda/FUNCTION:log-stream:*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:GetQueryResults",
"logs:GetLogRecord"
],
"Resource": "*"
}
]