Hello, I'm getting an access-denied error when I c...
# helpb
Bhuvaneshwaran Rajendran
08/09/2021, 12:21 PMHello, I'm getting an access-denied error when I checked the IAM, I've full cloudwatch log resource access. Do I need to add any extra permission?
Error is: AccessDeniedException: User: arnawssts:<account id>assumed-role/dev-sst-lambda-project-CustomMessageSubscriber0Servic-WPZ64QBFPMK/dev-sst-lambda-project-CustomMessageSubscriber0A30F89-glnN4McVNcwU is not authorized to perform: logs:DescribeMetricFilters on resource: arnawslogsus east 1<account_id>log groupnulllog stream
at Request.extractError (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\protocol\json.js52:27)
at Request.callListeners (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\sequential executor.js106:20)
at Request.emit (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\sequential executor.js78:10)
at Request.emit (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\request.js688:14)
at Request.transition (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\request.js22:10)
at AcceptorStateMachine.runTo (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\state machine.js14:12)
at D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\state machine.js26:10
at Request.<anonymous> (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\request.js38:9)
at Request.<anonymous> (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\request.js690:12)
at Request.callListeners (D\Workplace\Project\project\cloudwatch custom email\sst lambda\node modules\aws sdk\lib\sequential executor.js116:18) {
code: 'AccessDeniedException',
time: 2021-08-09T113419.378Z,
requestId: '7bf18aea-43b7-4e14-9414-8c9664bfed48',
statusCode: 400,
retryable: false,
retryDelay: 96.72244526808682
}
t
thdxr
08/09/2021, 12:34 PMIs this a lambda function trying to fetch metrics?
b
Bhuvaneshwaran Rajendran
08/09/2021, 12:34 PMYes, that's correct.
t
thdxr
08/09/2021, 12:35 PMLambda functions don't run as your user account, they run under their own role (even in local development). This helps there be fewer differences between production and local.
You need to add a policy to the role that grants this
logs:describeMetricsFilterss
Simon Reilly
08/09/2021, 12:36 PMIt looks suspicious that there is
log-group:null:log-streamSimon Reilly
08/09/2021, 12:38 PMThe null is in the position where the log group name should be. Could you share how the function is created?
b
Bhuvaneshwaran Rajendran
08/09/2021, 12:38 PMIt's trying to fetch the log group name from describe metrics.
Bhuvaneshwaran Rajendran
08/09/2021, 12:39 PMimport * as sst from "@serverless-stack/resources";
export default class SNSStack extends sst.Stack {
constructor(scope:sst.App, id:string, props?:sst.StackProps) {
_super_(scope, id, props);
// Create Topic
new sst.Topic(this, "CustomMessage", {
subscribers: ["src/lambda.main"]
});
}
}
Bhuvaneshwaran Rajendran
08/09/2021, 12:40 PMCW Alarm => SNS => Lambda => CW LOG => SNS
Bhuvaneshwaran Rajendran
08/09/2021, 12:40 PMI'm trying to customize the CW log message.
Bhuvaneshwaran Rajendran
08/09/2021, 12:43 PMLambda function
import { SNSEvent } from "aws-lambda";
import {CloudWatchLogs} from 'aws-sdk';
export async function main(event:SNSEvent) : Promise<void> {
try {
const message = JSON.parse(event.Records[0].Sns.Message);
const requestParams = {
metricName: message.Trigger.MetricName,
metricNamespace: message.Trigger.Namespace
};
const cloudWatchLog = new CloudwatchLogs();
const describeMetric: CloudWatchLogs.DescribeMetricFiltersResponse = await cloudWatchLog.describeMetricFilters(requestParams);
console.log("describeMetric", describeMetric);
} catch (err) {
console.log('Error is:', err);
}
}
Bhuvaneshwaran Rajendran
08/09/2021, 12:44 PMSame code working in Serverless Framework.
Bhuvaneshwaran Rajendran
08/09/2021, 12:45 PMSo I'm currently trying the same functionality in STS.
s
Simon Reilly
08/09/2021, 12:47 PMAh, that's interesting. Could you share your use case? Are you trying to customise the alarm message to add more information?
t
thdxr
08/09/2021, 12:48 PMCan you try extracting the function and giving it permissions
Copy code
const f = new Function(stack, "Function", {
handler: "test/lambda.handler",
});
f.role.addToPrincipalPolicy(new iam.PolicyStatement({
actions: ["logs:DescribeMetricFilters"],
resources: ["*"],
effect: iam.Effect.ALLOW,
}))b
Bhuvaneshwaran Rajendran
08/09/2021, 12:48 PMI'm trying to format the error message. Since CW Alarm sends a standard template content.
Bhuvaneshwaran Rajendran
08/09/2021, 12:49 PMSure @thdxr Let me try and let you know.
Bhuvaneshwaran Rajendran
08/09/2021, 12:56 PM@thdxr Property 'role' does not exist on type
TopicBhuvaneshwaran Rajendran
08/09/2021, 12:56 PMI want to trigger a lambda from the SNS topic.
t
thdxr
08/09/2021, 12:56 PMTake a closer look at the snippet I posted, I'm defining the function separately from the Topic so I can add permissions to it. You can then pass it into the Topic with
subscribers: [f]b
Bhuvaneshwaran Rajendran
08/09/2021, 1:32 PM@thdxr It's working! Thank you!! 🙂
f
Frank
08/09/2021, 3:34 PM
Hey, just wanted to chime in here, you can also grant the permission inline like this:
Copy code
const f = new Function(stack, "Function", {
handler: "test/lambda.handler",
permissions: ["logs:DescribeMetricFilters"],
});t
thdxr
08/09/2021, 3:40 PMOo that is nice
5 Views