Reputation: 1
AWS identity-based policy error in Lambda script
I have a lambda script to build a custom metric to notify us of errors in ECS Fargate python script. Below is the block of code used:
def get_error_count():
log_streams = logs.describe_log_streams(
logGroupName=log_group_name,
orderBy='LastEventTime',
descending=True,
limit=1)['logStreams']
if log_streams:
log_stream_name = log_streams[0]['logStreamName']
print(f"Search for log steam {log_stream_name}")
response = logs.filter_log_events(
logGroupName=log_group_name,
logStreamNames=[log_stream_name],
filterPattern=filter_pattern,
interleaved=False)
However when executing the script in lambda function getting the below error message:
[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the DescribeLogStreams operation: User: arn:aws:sts::253579060874:assumed-role/cloudwatch_custom_metric-role-2c9dwrgu/cloudwatch_custom_metric is not authorized to perform: logs:DescribeLogStreams on resource: arn:aws:logs:us-west-1:253579060874:log-group:/ecs/github-pr:log-stream: because no identity-based policy allows the logs:DescribeLogStreams action
I already have logs:DescribeLogStreams policy attached for the resource and below is the policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:*",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:GetRole",
"iam:ListRoles",
"events:PutRule",
"events:ListRules",
"events:DeleteRule",
"events:DescribeEventBus",
"events:ListEventBuses",
"events:ListTargetsByRule",
"events:PutTargets",
"events:RemoveTargets",
"schemas:ListDiscoverers",
"cloudformation:DescribeStacks",
"s3:ListAllMyBuckets",
"ecr:CreateRepository",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:InitiateLayerUpload",
"ecr:CompleteLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:GetRepositoryPolicy",
"ecr:DeleteRepository",
"cloudwatch:GetMetricData",
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:GetBucketAcl",
"s3:ListAccessPoints"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::latticework*/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:CreateBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::latticework*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::s3-skilljar-data*/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:CreateBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::s3-skilljar-data*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::s3-finance-data*/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:CreateBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::s3-finance-data*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::s3-aws-cost-data*/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:CreateBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::s3-aws-cost-data*"
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource": "arn:aws:iam::253579060874:user/${lambda_user}"
}
]
}
But still getting error. Please help
already an inline policy is present which did not work
Upvotes: 0
Views: 235
Answers (1)
Reputation: 1
Issue resolved.
Issue is the policy is not mapped with Lambda script role. Hence took the role assigned to lambda script and assigned the policy to the role
Upvotes: 0
Related Questions
- AWS API Gateway Lambda Authorizer Returning 403 Error Despite Allow Policy
- AWS IAM resource policy and Lambda Role not working
- Localstack Lambda cannot conect to http://localhost:4566
- aws lambda function can't update ecs service
- Having issues uploada a new default c# function to AWS Lambda in Visual Studio
- Does AWS Lambda get-layer-version not work for cross-accounts?
- Error while doing AWS Lambda Cross Account integration with AWS SNS
- Calling iot:attachPolicy from AWS Lambda