1. 技术文章
  2. CloudWatch Logs agent can't assume role to send logs to different account

CloudWatch Logs agent can't assume role to send logs to different account

陌路散爱 提交于 2019-12-11 04:45:38

问题


I have 2 AWS accounts.

  • Account A: EC2 instances with awslogs client from amazon
  • Account B: Centralized logging account

I want to send logs from the EC2 instance with awslogs client (in account A) from one account to CloudWatch Logs in an another account (account B).

It works fine by creating an IAM user in Account B and setting up the AWS credential key in awscli.conf, but I do not want keys to be hardcoded, so I'm trying to assume role as follows:

IAM Role in Account B (the CloudWatch account), I created a role name CloudWatchCrossRole:

Inline policy (allow this role to write logs to CloudWatch Logs):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Trust policy:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_A:role/CLoudWatchInstanceProfile"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

In Account A, I start an EC2 instance with the profile CLoudWatchInstanceProfile that looks as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ACCOUNT_B:role/CloudWatchCrossRole"
        }
    ]
}

No joy, the logs are pushed to ACCOUNT_A instead of ACCOUNT_B. Can anyone give me hint whether AssumeRole on CloudWatch Logs is possible or if it is mandatory to create an IAM user and hardcode the credentials in awscli.conf?


回答1:


There are two problems with this approach.

First, nothing is calling AssumeRole on the role in Account B. The CloudWatch Logs agent is expecting credentials, not a role.

Second, the Instance Profile in Account A cannot assign permissions to Account B.

Nor could I find any documentation to show how to insert credentials in the awscli.conf file you mentioned (can you show a sample)?

A couple of options:

  • Create a User in Account B and provide the resulting Access/Secret key to the CloudWatch Logs agent (as you seem to have done, but don't like), or
  • Have a process run on the instance that calls AssumeRole against the role in Account B, then provide those credentials to the CloudWatch Logs agent

If you are subscribed to AWS Support, open a support case to request guidance.



来源:https://stackoverflow.com/questions/43424614/cloudwatch-logs-agent-cant-assume-role-to-send-logs-to-different-account

标签
amazon-web-services
amazon-cloudwatch
amazon-cloudwatchlogs
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!