aws
Attempt to publish logs after access denied on CloudWatch log group creation.
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
Publish logs to existing CloudWatch Log Groups.
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Image Builder currently attempts to create its own CloudWatch log group and log streams for image builds. These are deterministically named:
# Log group.
/aws/imagebuilder/{image recipe name}
# Log stream.
{image recipe version}/{build number}
- https://docs.aws.amazon.com/imagebuilder/latest/userguide/monitor-cwlogs.html
- https://docs.aws.amazon.com/imagebuilder/latest/userguide/image-details-list.html#:r2o:-trigger
When Image Builder creates the log group, it has infinite retention.
Instead, users may want to implement a similar workaround to CloudWatch log groups for Lambda functions where users:
- Create the CloudWatch log group with custom settings (e.g. retention) ahead of time.
- Remove
logs:CreateLogGroupand keeplogs:CreateLogStream+logs:PutLogEventspermissions on the passed execution role.
Lambda will fail log group creation but still attempt log stream creation and log event puts if log group creation fails with already exists OR access denied.
Image Builder doesn't seem to attempt anything after failing log group creation with access denied.
Are you currently working around this issue?
Use an S3 logging configuration on the infrastructure configuration to recover visibility.
Additional context
None.
