- Más nuevo
- Más votos
- Más comentarios
This is most likely due to the IAM permission issue not having necessary permission.
The other possible cause is due to limitation of an internal dependency related to the size of the CloudWatch Logs resource policy. Internally the service attempts to update the resource policy document when we create a state machine with a new CloudWatch Log group. If the policy document exceeds the 5120 character limit you would see the error as "The state machine IAM Role is not authorized to access the Log Destination". https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-CWL
I would request you to please use AWS CLI to determine the size of resource policy. aws logs describe-resource-policies
For more details, please refer https://docs.aws.amazon.com/cli/latest/reference/logs/describe-resource-policies.html
To unblock the from this situation, you can update the resource policy to use "Resource": "*", To update the policy: aws logs put-resource-policy --policy-name $POLICY_NAME --policy-document $POLICY_DOCUMENT
Where $POLICY_NAME is the name of the describe-resource-policies, usually in the form of AWSLogDeliveryWriteXXXX and $POLICY_DOCUMENT is a copy of the policyDocument from describe-resource-policies result with the Resource array replaced with "*".
Alternatively, you can also remove unused entries from the Resource array, if you do not want to use a * policy.
Your command does not show the '--role-arn' specified. That role needs to have the CloudWatch Logs permissions.
Hey Kentrad,
Yes, I didnt post the complete command, but I found a hidden deny statemente in a inline policy that was preventing the correct access. Thanks for your message.
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 3 años
Hey AWS Learner,
I came to find that the solution was a bit simpler. A "hidden" deny statement in an inline policy someone has tested did the trick for me, but thanks for your msg.