centralized-logging-with-opensearch
centralized-logging-with-opensearch copied to clipboard
Support OpenSearch encrypted with Custom KMS (CMK) key
Describe the bug
Can not see any log if opensearch cmk enabled
In helper lambda logs:
[ERROR] 2023-07-25T04:59:46.965Z 25573a91-478a-4d82-96ee-c13144e24d27 An error occurred (ValidationException) when calling the UpdateElasticsearchDomainConfig operation: Error in Accessing KmsKeyID with details:User: arn:aws:sts::**********:assumed-role/CL-Pipe-7c6247c1-InitStackOpenSearchHelperRole046A-1NRFHEUW934UB/CL-Pipe-7c6247c1-OpenSearchHelperFn-6PdFQsjYjcbf is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:ap-southeast-1:**********:key/bbd26e05-7020-4076-bb1b-55ccc064d351 because no identity-based policy allows the kms:DescribeKey action (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: 62788aa9-e5dc-4221-b4b4-e8d44b241bd3; Proxy: null)
Expected Behavior
opensearch contains lambda logs and dashboards
Current Behavior
no logs and dashboards
Reproduction Steps
- create an opensearch cluster with cmk enabled.
- create lambda service log pipeline.
- check if the opensearch has any log data.
Possible Solution
No response
Additional Information/Context
No response
Solution Version
v1.0.3
AWS Region. e.g., us-east-1
No response
Other information
No response