lambda-logging-kinesis-demo
lambda-logging-kinesis-demo copied to clipboard
theburningmonk
DestinationArn for vendor kinesis cannot be used without roleArn
Hi @theburningmonk.
I am getting the following error in the subscribe function when I create a new log group.
{
"errorMessage": "destinationArn for vendor kinesis cannot be used without roleArn",
"errorType": "InvalidParameterException",
"stackTrace": [
"Request.extractError (/var/task/node_modules/aws-sdk/lib/protocol/json.js:48:27)",
"Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:105:20)",
"Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:77:10)",
"Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)",
"Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)",
"AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)",
"/var/task/node_modules/aws-sdk/lib/state_machine.js:26:10",
"Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)",
"Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:685:12)",
"Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:115:18)"
]
}
If I add the roleArn property as:
let options = {
destinationArn: arn,
logGroupName: logGroupName,
filterName: 'ship-logs',
filterPattern: '[timestamp=*Z, request_id="*-*", event]',
roleArn: role_arn,
}
and
role_arn:
Fn::GetAtt:
- CloudWatchLogsRole
- Arn
Then I get the following error.
{
"errorMessage": "User: arn:aws:sts::275307759108:assumed-role/cloudwatch-logs-to-logzio-dev-subscribe-eu-west-1-lambdaRole/cloudwatch-logs-to-logzio-dev-subscribe is not authorized to perform: iam:PassRole on resource: arn:aws:iam::275307759108:role/cloudwatch-logs-to-logzio-dev-cloudwatchrole",
"errorType": "AccessDeniedException",
"stackTrace": [
"Request.extractError (/var/task/node_modules/aws-sdk/lib/protocol/json.js:48:27)",
"Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:105:20)",
"Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:77:10)",
"Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)",
"Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)",
"AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)",
"/var/task/node_modules/aws-sdk/lib/state_machine.js:26:10",
"Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)",
"Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:685:12)",
"Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:115:18)"
]
}
Any thought what can it be? I haven't modify the code from the repo.
Thanks, Pedro
Try adding passRole to iamRoleStatement eg
iamRoleStatements:
- Effect: "Allow"
Action:
- "logs:PutSubscriptionFilter"
Resource: "*"
- Effect: "Allow"
Action:
- "iam:PassRole"
Resource: "*"
Seems to match what is required/documented here:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html
The above recommendation by @hampsterx didn't work for me.
EDIT: Oops, I hadn't enabled the serverless-iam-roles-per-function plugin. That, in conjunction with @hampsterx's tip got it working for me. 👏
@hampsterx, @pedrodelgallego @andrhamm, thank you for raising the issue and finding a fix for it. I've added a PR for fixing this issue. In addition I've changed the configuration to be more robust, so you can use environment variables to override some basic configurations.
@theburningmonk - Can you please review it?
Hi guys, thanks for reporting this. Sadly this project is no longer necessary, per se, as I have published a version of this as a SAR app, here which lets you specify the ARN for the target to be either Lambda or Kinesis.
