2 Answers
- Newest
- Most votes
- Most comments
0
Hi, if you follow this resource (https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-iam/), you can see that you need the following:
- iam policy in source account
- iam role and trusted policy in target account.
Make sure the iam role account has the appropriate permissions to access and put logs in the kinesis stream.
0
Yes, you are correct .
At the moment Cloudfront real-time logging (CreateRealtimeLogConfig) to Kinesis Data Stream does not support cross-account access.
answered a year ago
Is there an official source?
Publicly not at the moment.
But, on the Cloudfront real time logging console page you will get this message: The parameter EndPoint <your KDS ARN> is not valid because it is in a different AWS account
Relevant content
- asked a month ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 10 months ago
after updating the IAM Role in the source account as suggested, now I'm recieving a different error :
An error occurred (InvalidArgument) when calling the CreateRealtimeLogConfig operation: The parameter EndPoint arn:aws:kinesis:eu-west-3:LogAccountID:stream/demoDataStream is not valid because it is in a different AWS account.
Note that the IAM role is in the target account. The source account has an iam policy assuming the role name which is defined in the target account. Then in the source account you have to attach it to the proper user/service.. try following the guide step by step.
I followed everything mentioned in the guide. I'm afraid there is no support for Cloudfront Real-Time Logging Cross-Account. this is what I can understand from the recieved error :
An error occurred (InvalidArgument) when calling the CreateRealtimeLogConfig operation: The parameter EndPoint arn:aws:kinesis:eu-west-3:LogAccountID:stream/demoDataStream is not valid because it is in a different AWS account