Skip to content

Commit

Permalink
add TagLogGroup iam permission
Browse files Browse the repository at this point in the history 
Setup lambda function fails to create node functions with error:
Error: Creating CloudWatch Log Group failed: AccessDeniedException: User with accountId: xxx is not authorized to perform CreateLogGroup with Tags
  • Loading branch information
@ianic
ianic committed Nov 7, 2022
1 parent f5d3b09 commit 89d864c
Show file tree
Hide file tree
Showing 4 changed files with 5 additions and 1 deletion.
1 change: 1 addition & 0 deletions cli/controller/setup_stack_template.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ Resources:
- logs:UpdateLogDelivery
- logs:ListLogDeliveries
- logs:DeleteLogDelivery
- logs:TagLogGroup
Resource:
- "*"
- Effect: Allow
Expand Down
1 change: 1 addition & 0 deletions cli/controller/testdata/template.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ Resources:
- logs:UpdateLogDelivery
- logs:ListLogDeliveries
- logs:DeleteLogDelivery
- logs:TagLogGroup
Resource:
- "*"
- Effect: Allow
Expand Down
3 changes: 2 additions & 1 deletion node/api/setup/setup.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,8 @@ const apiCloudwatchRolePolicy = `{
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
"logs:FilterLogEvents",
"logs:TagLogGroup"
],
"Resource": "*"
}
Expand Down
1 change: 1 addition & 0 deletions node/terraform/modules/functions-node/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ data "aws_iam_policy_document" "deploy" {
"logs:PutRetentionPolicy",
"logs:PutLogEvents",
"logs:DeleteLogGroup",
"logs:TagLogGroup",
]
resources = [
"arn:aws:logs:*:*:log-group:*-${var.suffix}",
Expand Down

0 comments on commit 89d864c

Please sign in to comment.