- Mais recentes
- Mais votos
- Mais comentários
This is most likely due to the IAM permission issue not having necessary permission.
The other possible cause is due to limitation of an internal dependency related to the size of the CloudWatch Logs resource policy. Internally the service attempts to update the resource policy document when we create a state machine with a new CloudWatch Log group. If the policy document exceeds the 5120 character limit you would see the error as "The state machine IAM Role is not authorized to access the Log Destination". https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-CWL
I would request you to please use AWS CLI to determine the size of resource policy. aws logs describe-resource-policies
For more details, please refer https://docs.aws.amazon.com/cli/latest/reference/logs/describe-resource-policies.html
To unblock the from this situation, you can update the resource policy to use "Resource": "*", To update the policy: aws logs put-resource-policy --policy-name $POLICY_NAME --policy-document $POLICY_DOCUMENT
Where $POLICY_NAME is the name of the describe-resource-policies, usually in the form of AWSLogDeliveryWriteXXXX and $POLICY_DOCUMENT is a copy of the policyDocument from describe-resource-policies result with the Resource array replaced with "*".
Alternatively, you can also remove unused entries from the Resource array, if you do not want to use a * policy.
Your command does not show the '--role-arn' specified. That role needs to have the CloudWatch Logs permissions.
Hey Kentrad,
Yes, I didnt post the complete command, but I found a hidden deny statemente in a inline policy that was preventing the correct access. Thanks for your message.
Conteúdo relevante
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há um ano
Hey AWS Learner,
I came to find that the solution was a bit simpler. A "hidden" deny statement in an inline policy someone has tested did the trick for me, but thanks for your msg.