- Le plus récent
- Le plus de votes
- La plupart des commentaires
Anyone has an idea why the policy is missing the necessary permissions ?
Might be related to ElastiCache updates ?
@Dor Have you been able to resolve the issue? I'm experiencing the same problem. The documentation isn't very helpful
No, Still cant see logs correctly
@Dor @Vrathore we are also facing the same issue, necessary permissions are not present for sending logs to cloudwatch from elasticache.
In AWS, service-linked roles have permissions that are defined by the service that uses them. You cannot modify the permissions for these roles. They are designed to ensure that AWS services can securely manage resources in your account.
However, what you may need to do is to ensure that the necessary permissions are in place for CloudWatch to receive logs. If you're using a service-linked role for ElastiCache, the necessary permissions should already be in place, but if you're using a different role, you may need to add them.
The necessary permissions for writing logs to CloudWatch are
- logs:CreateLogDelivery
- logs:UpdateLogDelivery
- logs:DeleteLogDelivery
- logs:GetLogDelivery
- logs:ListLogDeliveries
This permission needs to be in the IAM policy for the role that's writing the logs. In the case of ElastiCache, the necessary permissions should already be in place with the service-linked role.
for the outlined steps you can follow this link
https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Log_Delivery.html
Thanks for your answer, I'm using a service linked role but the permissions are not in place. I'm adding the policy of the role used by Elasticache. Role: AWSServiceRoleForElastiCache { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup", "ec2:DescribeAvailabilityZones", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute", "ec2:RevokeSecurityGroupIngress", "cloudwatch:PutMetricData", "outposts:GetOutpost", "outposts:GetOutpostInstanceTypes", "outposts:ListOutposts", "outposts:ListSites" ], "Resource": "*" } ] }
Could anyone please help us with modifying the service linked role policy/permission part for sending logs to cloudwatch from elasticache, ideally all necessary permissions should be present here.
logs:CreateLogDelivery
logs:UpdateLogDelivery
logs:DeleteLogDelivery
logs:GetLogDelivery
logs:ListLogDeliveries
I was struggling with this for some time, but after opening a case with AWS, I finally was able to solve it.
Problem Overview
Enabling logs in Elasticache requires granting the delivery.logs.amazonaws.com
service permission to write into CloudWatch Logs. This service serves as a gateway for logging in and the necessary policy is automatically manged by AWS.
Checking Existing Policies
To verify existing policies, use the AWS Command Line Interface with the following command:
aws logs describe-resource-policies --region region
so in my case, this was totally empty, nothing was allowed
{
"resourcePolicies": []
}
Adding Policies
Unfortunately, you can't manage these policies through the AWS Management Console. Instead, use awscli or a Terraform resource.
As an example, to grant full access to the mentioned services, execute the following command:
aws logs put-resource-policy --region ap-southeast- --policy-name AWSLogDeliveryWrite20150319 --policy-document "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AWSLogDeliveryWrite\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":[\"logs:CreateLogStream\",\"logs:PutLogEvents\"],\"Resource\":[\"*\"]}]}"
Note: The provided command grants full access; for more granular control, adjust the policy accordingly.
Verification
After updating the policies, revisit your Elasticache Redis settings. Disable and re-enable logs, and you should observe the issue resolved.
Actually, doing this from the console should force AWS to introduce/modify the proper policy automatically, but for some reason, this does not always work as expected
Contenus pertinents
- demandé il y a un an
- demandé il y a un an
- demandé il y a 2 mois
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
Still struggling with getting the logs, any ideas ?