I have a lambda script to build a custom metric to notify us of errors in ECS Fargate python script. Below is the block of code used:
def get_error_count():
log_streams = logs.describe_log_streams(
logGroupName=log_group_name,
orderBy='LastEventTime',
descending=True,
limit=1)['logStreams']
if log_streams:
log_stream_name = log_streams[0]['logStreamName']
print(f"Search for log steam {log_stream_name}")
response = logs.filter_log_events(
logGroupName=log_group_name,
logStreamNames=[log_stream_name],
filterPattern=filter_pattern,
interleaved=False)
However when executing the script in lambda function getting the below error message:
[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the DescribeLogStreams operation: User: arn:aws:sts::253579060874:assumed-role/cloudwatch_custom_metric-role-2c9dwrgu/cloudwatch_custom_metric is not authorized to perform: logs:DescribeLogStreams on resource: arn:aws:logs:us-west-1:253579060874:log-group:/ecs/github-pr:log-stream: because no identity-based policy allows the logs:DescribeLogStreams action
I already have logs:DescribeLogStreams policy attached for the resource and below is the policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:*",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:GetRole",
"iam:ListRoles",
"events:PutRule",
"events:ListRules",
"events:DeleteRule",
"events:DescribeEventBus",
"events:ListEventBuses",
"events:ListTargetsByRule",
"events:PutTargets",
"events:RemoveTargets",
"schemas:ListDiscoverers",
"cloudformation:DescribeStacks",
"s3:ListAllMyBuckets",
"ecr:CreateRepository",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:InitiateLayerUpload",
"ecr:CompleteLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:GetRepositoryPolicy",
"ecr:DeleteRepository",
"cloudwatch:GetMetricData",
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:GetBucketAcl",
"s3:ListAccessPoints"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::latticework*/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:CreateBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::latticework*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::s3-skilljar-data*/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:CreateBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::s3-skilljar-data*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::s3-finance-data*/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:CreateBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::s3-finance-data*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::s3-aws-cost-data*/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:CreateBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::s3-aws-cost-data*"
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource": "arn:aws:iam::253579060874:user/${lambda_user}"
}
]
}
But still getting error. Please help
already an inline policy is present which did not work
Issue resolved.
Issue is the policy is not mapped with Lambda script role. Hence took the role assigned to lambda script and assigned the policy to the role