By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS CLI "aws stepfuncions create-state-machine" gives AccessDeniedException

0

Hello everyone.

When trying to run the command bellow:

aws stepfunctions create-state-machine --logging-configuration '{ "level": "ALL", "includeExecutionData": false, "destinations": [ { "cloudWatchLogsLogGroup": { "logGroupArn": "arn:aws:logs:region:0000000000:log-group:/aws/step-funtions/log_group:*"

Im getting this error:

An error occurred (AccessDeniedException) when calling the CreateStateMachine operation: The state machine IAM Role is not authorized to access the Log Destination

Searching online I found it could be that the IAM role Im using to create the state machine is not having all the permissions it needs so I´ve changed the policy to include:

"logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", "logs:PutLogEvents", "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Resource": "*"

It didnt work, so after doing lots of variation to the policy, I tried the AWS Managed policy CloudWatchLogsFullAccess, which give to me the same error. Even with a full admin permission set, the error continue to show.

Can you help me understand what am I doing wrong?

Thank you!

aws-cli/2.9.2 Python/3.9.11 Linux/5.15.79.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.22 prompt/off

Topics
ServerlessApplication IntegrationSecurity, Identity, & ComplianceManagement & Governance
Tags
AWS Step FunctionsAWS Identity and Access ManagementAWS Command Line InterfaceAmazon CloudWatchIAM Policies
Language
English
Tarcisio M
asked a year ago1034 views
2 Answers
1

This is most likely due to the IAM permission issue not having necessary permission.

The other possible cause is due to limitation of an internal dependency related to the size of the CloudWatch Logs resource policy. Internally the service attempts to update the resource policy document when we create a state machine with a new CloudWatch Log group. If the policy document exceeds the 5120 character limit you would see the error as "The state machine IAM Role is not authorized to access the Log Destination". https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-CWL

I would request you to please use AWS CLI to determine the size of resource policy. aws logs describe-resource-policies

For more details, please refer https://docs.aws.amazon.com/cli/latest/reference/logs/describe-resource-policies.html

To unblock the from this situation, you can update the resource policy to use "Resource": "*", To update the policy: aws logs put-resource-policy --policy-name $POLICY_NAME --policy-document $POLICY_DOCUMENT

Where $POLICY_NAME is the name of the describe-resource-policies, usually in the form of AWSLogDeliveryWriteXXXX and $POLICY_DOCUMENT is a copy of the policyDocument from describe-resource-policies result with the Resource array replaced with "*".

Alternatively, you can also remove unused entries from the Resource array, if you do not want to use a * policy.

AWS
AWS-Learner
answered a year ago
  • Tarcisio M
    a year ago

    Hey AWS Learner,

    I came to find that the solution was a bit simpler. A "hidden" deny statement in an inline policy someone has tested did the trick for me, but thanks for your msg.

1

Your command does not show the '--role-arn' specified. That role needs to have the CloudWatch Logs permissions.

profile pictureAWS
EXPERT
kentrad
answered a year ago
  • Tarcisio M
    a year ago

    Hey Kentrad,

    Yes, I didnt post the complete command, but I found a hidden deny statemente in a inline policy that was preventing the correct access. Thanks for your message.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content