Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

logs: Support Resource policies

See original GitHub issue

Reproduction Steps

const cloudWatchLogGroup = new logs.LogGroup(this, 'ElasticSearchLogGroup', {
  retention: logs.RetentionDays.THREE_MONTHS,
});

cloudWatchLogGroup.grantWrite(new iam.ServicePrincipal('es.amazonaws.com')).assertSuccess();

Also fails with the resource policy that I need.

const cloudWatchLogGroup = new logs.LogGroup(this, 'ElasticSearchLogGroup', {
  retention: logs.RetentionDays.THREE_MONTHS,
});

cloudWatchLogGroup
  .grant(
    new iam.ServicePrincipal('es.amazonaws.com'),
    'logs:PutLogEvents',
    'logs:PutLogEventsBatch',
    'logs:CreateLogStream'
  )
  .assertSuccess();

Error Log

Error: Permissions for 'ServicePrincipal(es.amazonaws.com)' to call 'logs:CreateLogStream,logs:PutLogEvents' on '${Token[TOKEN.507]}' could not be added on either identity or resource policy.

Error: Permissions for 'ServicePrincipal(es.amazonaws.com)' to call 'logs:PutLogEvents,logs:PutLogEventsBatch,logs:CreateLogStream' on '${Token[TOKEN.507]}' could not be added on either identity or resource policy.

Environment

  • CLI Version :1.18.0
  • Framework Version:1.18.0
  • OS :macOS
  • Language :TypeScript

Other

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:3
  • Comments:26 (23 by maintainers)

github_iconTop GitHub Comments

4reactions
blimmercommented, Apr 23, 2020

In case others run into this, I used the AwsCustomResource construct to help accomplish our goal here.

Here’s some code to hopefully help out if folks need to use this workaround in the meantime. Please note that this code is very specific to our use-case, so you’ll almost undoubtedly need to modify it to work for you.

// Cloudwatch logs have global resource policies that allow EventBridge to
// write logs to a given Cloudwatch Log group. That's currently not exposed
// via CloudFormation, so we use a Custom Resource here.
// See https://github.com/aws/aws-cdk/issues/5343
const policyName = '<fill in your unique policy name>'
new cr.AwsCustomResource(this, "CloudwatchLogResourcePolicy", {
  resourceType: "Custom::CloudwatchLogResourcePolicy",
  onUpdate: {
    service: "CloudWatchLogs",
    action: "putResourcePolicy",
    parameters: {
      policyName,
      // PolicyDocument must be provided as a string, so we can't use the iam.PolicyDocument provisions
      // or other CDK niceties here.
      policyDocument: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
          {
            Sid: policyName,
            Effect: "Allow",
            Principal: {
              Service: ["delivery.logs.amazonaws.com", "events.amazonaws.com"],
            },
            Action: ["logs:CreateLogStream", "logs:PutLogEvents"],
            // I'd prefer to use cdk.Arn.format() here, but that creates Fn::Join's in the template,
            // which AwsCustomResource can't handle.
            Resource: '<fill in your arn here>',
          },
        ],
      }),
    },
    physicalResourceId: cr.PhysicalResourceId.of(policyName),
  },
  onDelete: {
    service: "CloudWatchLogs",
    action: "deleteResourcePolicy",
    parameters: {
      policyName,
    },
  },
  policy: cr.AwsCustomResourcePolicy.fromStatements([
    new iam.PolicyStatement({
      actions: ["logs:PutResourcePolicy", "logs:DeleteResourcePolicy"],
      // Resource Policies are global in Cloudwatch Logs per-region, per-account.
      resources: ["*"],
    }),
  ]),
});
0reactions
cmckni3commented, Sep 7, 2022

^ @cmckni3 appreciate the suggestion, but I did try that and unfortunately Aws.PARTITION is a token and not resolvable in the context of this Aspect

Yeah make sense depending on how you synth.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Amazon CloudWatch Logs - AWS Documentation
CloudWatch Logs supports identity-based policies, and resource-based policies for destinations, which are used to enable cross account subscriptions.
Read more >
CloudWatch Logs Resource Policies - Endgame
CloudWatch Resource Policies allow other AWS services or IAM Principals to put log events into the account. Steps to Reproduce; Exploitation; Remediation ...
Read more >
How to define Resource Policy for CloudWatch Logs with ...
I just got back a response from AWS support. They indicated this is already a feature request but provided no ETA. As a...
Read more >
put-resource-policy — AWS CLI 2.9.6 Command Reference
Creates or updates a resource policy allowing other Amazon Web Services services to put log events to this account, such as Amazon Route...
Read more >
IAM audit logging | IAM Documentation - Google Cloud
Google Cloud services write audit logs to help you answer the questions, "Who did what, where, and when?" within your Google Cloud resources....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Resolution error: "${Token[TOKEN.XXX]}" is used as the key in a map so must resolve to a string

Next page

Don't wait for Lambda deployment