Reputation: 2656
AWS CloudWatch - Cannot select S3 location and use existing IAM Role
I am trying to create an AWS CloudWatch Canary. It's a simple Canary checking an URL.
In creating the Canary you need to create the Data Storage and the Access Permissions.
The following happens:
When I leave the Data Storage empty, I can set the Access Permissions to "Create a new role". Then I click on "Create Canary" and get an Error: "Data storage S3 location must be a valid S3 bucket or prefix"
Ok, then I specify an existing bucket where all CloudWatch output goes in.
Then I get another error on Access Permissions:
- The "Create a new role" checkbox is disabled and I need to "Select an existing role" Then the dropdown says: "No IAM roles associated with this account"
- But there are certainly roles in this account. When I go to IAM and select 'roles' (left menu), then I see a bunch of roles.
Why does AWS CloudWatch not see the roles?
Edit May 18th, 2023 in reaction to Comment
The first comment, by @jordanm, suggested that none of my existing roles has a Trust Policy.
But I do have a Role with a Trust Policy. One of the Roles has this Trust Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"ssm.amazonaws.com",
"iam.amazonaws.com",
"s3.amazonaws.com",
"cloudwatch.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
Is there something wrong with this Trust Policy?
Edit 2:
I created a new Role:
This is clearly a "Role" on the "Account".
The Permissions Policy on this Role is the "CloudWatchFullAccess" Policy.
So, it looks like there is an IAM Role associated with this Account, which has the CloudWatch Permissions.
Why of why is AWS telling me then in CloudWatch: "No IAM roles associated with this account".
Upvotes: 0
Views: 226
Answers (1)
Reputation: 2656
I got this working by making the following changes to my Canary:
Do not enter a S3 bucket but let AWS take the default. Which will be a long bucket-name starting with "cw-syn-results-...."
Let CloudWatch create a new role, called CloudWatchSyntheticsRole-canary-name-uuid For every Canary you create, a new role is created. Very ugly.
So, it's working, but not in a very code-efficient way. Will need to get back to this later for a cleanup. But that will be after a couple of IAM courses :-)
Upvotes: 0
Related Questions
- AWS IAM role principal vs role session principal
- API Gateway resource policy: specify IAM role as AWS principal
- What is exactly "Assume" a role in AWS?
- Difference between IAM role and IAM user in AWS
- Correct way to write multiple Principal AWS in AWS IAM Role TrustEntity Relation
- AWS Data Pipeline: Issue with permissions S3 Access for IAM role
- terraform aws iam role with policy assignment
- Newly created AWS member account is missing IAM role
- AWS Assume role with EC2 instance IAM role not working