- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Hi there,
AMP uses the IAM permissions that's assigned to a user or role to determine which actions can be performed on the AMP resources. As stated in the document below, users and roles don't have default permission to create or modify Amazon Managed Service for Prometheus resources. To grant users permission to perform actions on the resources that they need, an IAM administrator can create IAM policies. The administrator can then add the IAM policies to roles, and users can assume the roles. You can however just assign the IAM policies to the users themselves if you do not wish to add them to a role or group.
[+] https://docs.aws.amazon.com/prometheus/latest/userguide/security_iam_id-based-policy-examples.html
Please see the answers to your questions below:
-
It is the IAM permissions of the user who is interacting with the AMP workspace that determines the correct permissions. So everyone who will be interacting with the workspace would need to have the correct permissions assigned to their IAM user.
-
You have not misunderstood. You would need to adjust your IAM permissions in order to get your cloudwatch logs working with AMP.
How about moving those permission policies from your personal IAM user to the IAM user group you and the other devs are in? That should give you some breathing room while you wait for an expert to answer your other questions.
Thank you for your suggestion! At the moment this is not a problem for me since my account will nto be removed in the forseeable future. My question is more to get an answer to if this really is how it works, since it leads to so many problem managing AMP workspaces. I am comparing to an ECS service task for example, where you connect IAM roles and execution roles to the task to give it permissions to do what it needs to do. It seems very weird if for a AMP workspace this is instead done by adding permission policies to the user who created the workspace. I must have misunderstood something.
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
Thank you for your answer, and sorry about the late reply. The reason I asked this question in the first place was that I was not getting logs from my AMP workspace. I added a policy with permissions to create logs for the specific workspace to the user I had used to create that workspace. I then got a logstream in the log group with an entry stating "Permissions are set correctly to allow AWS CloudWatch Logs to write into your logs while creating a subscription." I figured that have solved the problem. However, two things make me question if my problem with not getting logs had anything to do with incorrect permissions after all: