aws
Error in `aws logs put-account-policy` documentation
Describe the issue
I found the following error in the documentation:
RoleArn The ARN of an IAM role that grants CloudWatch Logs permissions to deliver ingested log events to the destination stream. You don’t need to provide the ARN when you are working with a logical destination for cross-account delivery.
The following sentence isn't fully true: you DO require a RoleArn for cross-account delivery when the logical destination was created with an organization access policy, otherwise you'll get the following error:
An error occurred (InvalidParameterException) when calling the PutAccountPolicy operation: Role ARN is required when creating subscription filter against destination with Organization access policy.
Links
https://docs.aws.amazon.com/cli/latest/reference/logs/put-account-policy.html
I want to add that, in my view, the current RoleArn description is not clear at all. I was following this guide step for creating the role, and I simply could not understand it.
This is the IAM policy document:
{
"Statement": [
{
"Effect": "Allow",
"Action": "logs:PutLogEvents",
"Resource": "arn:aws:logs:region:111111111111:log-group:LogGroupOnWhichSubscriptionFilterIsCreated:*"
}
]
}
Essentially, this grants the CloudWatch Logs service principal (logs.amazonaws.com) permission to write to a specific log group. That does not make sense to me for several reasons:
-
The permission should apply to the entire account, since we are working with account-level subscription filters, not a single log group.
-
The AWS CLI docs states that the RoleArn
grants CloudWatch Logs permissions to deliver ingested log events to the destination stream, but that seems inaccurate. The policy document above actually grants CloudWatch Logs permission to write to a log group, which I don't see how is any useful in this context. Why would a service try to write to itself?
Hello @garysassano , thanks for reaching out. I have replicated the same issue where I got the same error : An error occurred (InvalidParameterException) when calling the PutAccountPolicy operation: Role ARN is required when creating subscription filter against destination with Organization access policy.. Then adding the Role ARN and it worked. The documentation reflects the CloudWatch Logs Service Model and I have reached out to the team for updating the model and the document. I have also forwarded your question to the team in regards to the doc. If there are any updates, I will let you know. Thanks
For Internal Tracking: P242743771
@adev-code Thanks for the response. The policy requirement still doesn't make much logical sense to me. Interestingly, @aidansteele had the same question a few years ago, which he pointed out in this blog post.
Resources:
LogPusherRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref LogPusherRoleName
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service: logs.amazonaws.com
Policies:
- PolicyName: PutLogEvents
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: logs:PutLogEvents
Resource: "*"
# why does it need this permission? not sure. it's what the docs
# say and i haven't yet tested if it works without it.
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateSubscriptionFilter-IAMrole.html
Thank you for the reply. As per above, I have reached out to the Service Team who manages the documentation. We do not have a timeline for now on when the Service Team is going to release a change. Moving forward, please check the changelog for updates (Botocore, Boto3 and AWS CLI).
This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}