centralized-logging-with-opensearch Support OpenSearch encrypted with Custom KMS (CMK) key

Support OpenSearch encrypted with Custom KMS (CMK) key

Open wchaws opened this issue 11 months ago • 1 comments

Describe the bug

Can not see any log if opensearch cmk enabled

In helper lambda logs:

[ERROR]    2023-07-25T04:59:46.965Z    25573a91-478a-4d82-96ee-c13144e24d27    An error occurred (ValidationException) when calling the UpdateElasticsearchDomainConfig operation: Error in Accessing KmsKeyID with details:User: arn:aws:sts::**********:assumed-role/CL-Pipe-7c6247c1-InitStackOpenSearchHelperRole046A-1NRFHEUW934UB/CL-Pipe-7c6247c1-OpenSearchHelperFn-6PdFQsjYjcbf is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:ap-southeast-1:**********:key/bbd26e05-7020-4076-bb1b-55ccc064d351 because no identity-based policy allows the kms:DescribeKey action (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: 62788aa9-e5dc-4221-b4b4-e8d44b241bd3; Proxy: null)

Expected Behavior

opensearch contains lambda logs and dashboards

Current Behavior

no logs and dashboards

Reproduction Steps

create an opensearch cluster with cmk enabled.
create lambda service log pipeline.
check if the opensearch has any log data.

Possible Solution

No response

Additional Information/Context

No response

Solution Version

v1.0.3

AWS Region. e.g., us-east-1

No response

Other information

No response

Jul 26 '23 05:07 wchaws

centralized-logging-with-opensearch centralized-logging-with-opensearch copied to clipboard

Support OpenSearch encrypted with Custom KMS (CMK) key

Describe the bug

Expected Behavior

Current Behavior

Reproduction Steps

Possible Solution

Additional Information/Context

Solution Version

AWS Region. e.g., us-east-1

Other information

centralized-logging-with-opensearch
centralized-logging-with-opensearch copied to clipboard