By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Denied Access to logs:CreateLogStream action as Root User

0

Hello.

I am new to AWS and was writing a function in AWS Lambda to create a log group and log stream. When I test in AWS Lambda, the log group is successfully created, but an error occurs when trying to create a log stream for that log group. As the root user, for some reason, I am getting a Client Error: Access Denied Exception because my root user "is not authorized to perform: logs:CreateLogStream" on the log_stream resource "because no identity-based policy allows the logs:CreateLogStream action." However, when I code something similar in my local IDE with Boto3, everything works as expected.

Appreciate any help!

Topics
ServerlessComputeManagement & GovernanceSecurity, Identity, & Compliance
Tags
AWS LambdaAmazon CloudWatchAWS Account ManagementIAM Policies
Language
English
rePost-User-2326190
asked 10 months ago778 views
1 Answer
2
Accepted Answer

Hi,

when you run an AWS Lambda function, the function assumes a AWS IAM role. This is called the function execution role. The function has only the permissions that are defined in that role, regardless of what the permissions of your IAM user or role are. Please check the IAM role of the function and make sure that the correct permissions are assigned.

You can find more information here: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html

profile pictureAWS
EXPERT
ben-from-aws
answered 10 months ago
profile picture
EXPERT
Hiroki Takahashi
reviewed 10 months ago
  • rePost-User-2326190
    10 months ago

    Thanks a lot for your response. Seems like I rushed through the creation of the function.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content