Cannot Update Trail with CloudWatch Log Group via Boto3

Question

Hey all,  
  
I'm trying to update my CloudTrail trail with a CloudWatch Log Group. I firstly create an IAM Role (that will be assumed by CloudTrail), I then create the CloudWatch Group and run the update_trail Boto3 API call. The error I receive when trying to update is:

```
"errorCode": "InvalidCloudWatchLogsRoleArnException"
    "errorMessage": "Access denied. Check the trust relationships for your role."
```

The API request extracted from CloudTrail itself looks like:

```
{
    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": ":auto-remediate-dev",
        "arn": "",
        "accountId": "",
        "accessKeyId": "",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "",
                "arn": "arn:aws:iam:::role/auto-remediate-dev-AutoRemediate--lambdaRole",
                "accountId": "",
                "userName": "auto-remediate-dev-AutoRemediate--lambdaRole"
            },
            "webIdFederationData": {},
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2019-05-15T09:13:30Z"
            }
        }
    },
    "eventTime": "2019-05-15T09:58:20Z",
    "eventSource": "cloudtrail.amazonaws.com",
    "eventName": "UpdateTrail",
    "awsRegion": "",
    "sourceIPAddress": "13.238.217.58",
    "userAgent": "Boto3/1.9.42 Python/3.7.3 Linux/4.14.109-80.92.amzn1.x86_64 exec-env/AWS_Lambda_python3.7 Botocore/1.12.42",
    "errorCode": "InvalidCloudWatchLogsRoleArnException",
    "errorMessage": "Access denied. Check the trust relationships for your role.",
    "requestParameters": {
        "name": "MaratTest",
        "cloudWatchLogsLogGroupArn": "arn:aws:logs:::log-group:/aws/cloudtrail/MaratTest:*",
        "cloudWatchLogsRoleArn": "arn:aws:iam:::role/CloudTrail-CloudWatchLogs-MaratTest"
    },
    "responseElements": null,
    "requestID": "3244c931-3892-4fca-9664-df38cdb3be54",
    "eventID": "0d5a1e82-95be-46b5-a430-91a407bd7b13",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "recipientAccountId": ""
}
```

The strange thing about this is, when I use the exact same IAM Role and CloudWatch Log Group but initiate the CloudTrail update via the console, it all works perfect and then exact same API request is captured by CloudTrail but is successful this time.  
  
I'm not sure what the error could be and nothing I've researched has helped me find the right solution. Any help would be greatly appreciated.

Accepted Answer

It is possible that the IAM role was not propagated yet when you attempted to update the trail.  Is the problem still occurring?  
  
If so,  I recommend that you double-check the role policy and trust relationships as the next step.   
  
If the issue is not resolved, you could post the role policy and trust policy or you could open a case with AWS support to dive deeper.

Answer

Thanks very much Jeff. We actually solved this a couple of hours after posting. The answer was as you first mentioned... the IAM Role had not propagated throughout the system quickly enough for me to assign it.

Cannot Update Trail with CloudWatch Log Group via Boto3

관련 콘텐츠