By using AWS re:Post, you agree to the Terms of Use

Issue with pushing an EC2 instance's Docker container logs into CloudWatch


I have a working EC2 instance in free tier, with a responding java-based grpc server in a docker container inside the instance.
I'd like to send the logs of the container into the CloudWatch.
I created the suggested policy, the EC2 role, and the role is attached to the instance.
The container is started from the bash of the linux instance with this command:
docker run -d -p 9092:9092 -t <<my-container-name>> --log-driver=awslogs --log-opt awslogs-region=us-east-1 --log-opt awslogs-group="gRPC-POC" --log-opt awslogs-stream="gRPC-POC-log" --log-opt awslogs-create-group=true --log-opt awslogs-create-stream=true
I tried to run the container with different users, with different options of the log-driver, omitting parts and almost everything.
The policy I created to use the CloudWatch looks like this:\

    "Version": "2012-10-17",
    "Statement": [
            "Action": [
            "Effect": "Allow",
            "Resource": "arn:aws:logs:us-east-1:<<my-account-number>>:log-group:*:*"

So far,no sign of the gathered logs in CloudWatch even if I create a log-group and/or log-stream or I don't.
Maybe I'm missing a step or a vital information somewhere?
Do You have any suggestions, please?

#EDIT The command aws sts get-caller-identity gives this result: Enter image description here The command was used from the bash of the running instance. (This is what You meant, @Roberto? Anyways, thanks.)
It looks like the instance has the proper right, 'GrpcPocAccessLogs'.

  • You can confirm whether the container is getting the role your intend to use, using this cli aws sts get-caller-identity from within the container

  • I meant doing that from within the container (e.g. docker exec -it <container_id> bash)

2 Answers
Accepted Answer


The IAM policy is correct but something is amiss in the command you shared. Some observations / queries:

  1. Is your container actually running after you issue the command? The above syntax does not throw any error but does not even start the container for me. You can confirm with 'docker ps' or 'docker ps -a'

  2. By <<my-container-name>> in your command above do you mean to imply the name of the image to launch the container with. In that case provide the name of the image at the end of the command. Docker run command usage is:

docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
  1. awslogs-create-stream is not a valid log-opt parameter and returns "docker: Error response from daemon: unknown log opt 'awslogs-create-stream' for awslogs log driver." Checked this against the latest docker documentation and docker v20.10.17.

Try this command:

docker run -d -p 9092:9092 -t --log-driver=awslogs --log-opt awslogs-region=us-east-1 --log-opt awslogs-group="gRPC-POC" --log-opt awslogs-stream="gRPC-POC-log" --log-opt awslogs-create-group=true  <<my-image-name>>


profile picture
answered a month ago
  • Tanks a lot, @Syd :) Of course, it was the order of the options and the image name. You saved my day.

profile picture
answered 2 months ago
  • Thanks, but why should I use a proxy to push the logs to CloudWatch, if the daemon does this itself? Except for adding "an additional layer of security between your Docker instances and internet-bound traffic" - but currently I have another goal: to establish the communication transporting the container logs to CloudWatch.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions