viv*_*dha 9 amazon-web-services aws-lambda aws-step-functions
我遇到了一些我无法弄清楚的权限问题。
由于错误,步骤函数部署失败:
Error: AccessDeniedException: The state machine IAM Role is not authorized to access the Log Destination
10:12:19 status code: 400, request id: ff46f8c0-fcc8-4190-ba6a-13f5ab617c78
10:12:19
10:12:19 on step_function.tf line 1, in resource "aws_sfn_state_machine" "oss_integration_data_process_sf":
10:12:19 1: resource "aws_sfn_state_machine" "os_int_data_process_sf" {
有趣的是,它只发生在一个 lambda 上,而所有 lambda 都有相同的前缀,并且我们有步骤函数授予权限:
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:AssociateKmsKey",
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:us-east-1:XXXX:log-group:*/*"
],
"Effect": "Allow"
}```
I can run the lambda after deployment and see CW log stream with lambda name is getting created.
Tyn*_*Tyn 12
我遇到了同样的问题,并通过更新角色的策略解决,如下所述: https: //docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html
通常情况下,PutLogEvents、CreateLogStream 对于 Lambda 等资源来说应该足够了,但显然 Step Function 还需要其他日志策略。
小智 4
The state machine IAM Role is not authorized to access the Log Destination我在使用cloudformation模板时遇到了同样的错误,但实际问题是YAML字段CloudWatchLogsLogGroup配置错误。
所以我更新了它以使用下面的语法,一切都有效。
StateMachine:
Type: AWS::Serverless::StateMachine
DependsOn:
- LogGroup
- CustomRole
Properties:
Name: StateMachine
Role: !Sub arn:aws:iam::${AWS::AccountId}:role/CustomRole
Logging:
Destinations:
- CloudWatchLogsLogGroup:
LogGroupArn: !GetAtt LogGroup.Arn
IncludeExecutionData: true
Level: ALL
尽管如此,我认为 AWS 文档在这个主题上非常令人困惑。
| 归档时间: |
|
| 查看次数: |
10783 次 |
| 最近记录: |