0

I am able to perform some action (specifically use cloudwatch insight and run a query) on aws console. But I am unable to do the same using aws cli or boto3 (aws logs start-query). It gives AccessDeniedError. However I am able to run other commands like aws s3 ls. Isn't it the case that permissions for both console and cli are same ?

Exact error is 

An error occurred (AccessDeniedException) when calling the StartQuery operation: User: arn:aws:sts::----:assumed-role/---- is not authorized to perform: logs:StartQuery on resource: arn:aws:logs:----

How should I debug this issue.

ArslanAnjum
  • 1,674
  • 2
  • 17
  • 31
  • "Isn't it the case that permissions for both console and cli are same" that depends entirely on how you setup the API keys for the CLI to use. Did you create an API key for the same user account that you are using to login to the console? – Mark B Jan 03 '20 at 14:07
  • yes. api key is for the same user that I use to login to console – ArslanAnjum Jan 03 '20 at 14:14
  • one caveat though, its a federated user that I am using, but both console and cli are using the same federated account. – ArslanAnjum Jan 03 '20 at 14:21
  • I have edited question to include exact error that I am receiving. – ArslanAnjum Jan 03 '20 at 14:24
  • Can you please edit your question to show the policy that is granting that role permission to call `logs:StartQuery`? – John Rotenstein Jan 03 '20 at 23:03

1 Answers1

1

It means the cli user you are using does not have permission for logs:StartQuery operation.

For testing purposes you can grant the predefined policy CloudWatchLogsFullAccess to cli user. For more fine-grained permission check: CloudWatch Logs Permissions Reference

Emin
  • 113
  • 2
  • 7