2

I am getting an error when I try to start aws query using python boto3

Error message:

There was an error in error_handler: An error occurred (AccessDeniedException) whencalling the StartQuery operation: User: arn:aws:sts::#########:assumed-role/cron-runner-production/ is not authorized to perform: logs:StartQuery on resource: arn:aws:logs:##-####-#:#########:log-group:/ecs/production:log-stream: because no identity-based policy allows the logs:StartQuery action

However, I added allowing policies:

 statement {
    effect = "Allow"
    actions = [
      "logs:CreateLogStream",
      "logs:PutLogEvents",
      "logs:StartQuery",
      "logs:GetQueryResults"
    ],
      "Resource": "arn:aws:logs:##-####-#:#########:log-group:/aws/lambda/cron-runner-production:*"
    ]
  }

Python code:

    boto3_client = boto3.client('logs')
    query_id = boto3_client.start_query(
        logGroupName=log_group,
        startTime=int((datetime.today() - timedelta(minutes=5)).timestamp()),
        endTime=int(datetime.now().timestamp()),
        queryString=query,
    ).get('queryId')

Also I getting warnings in AWS web console about "logs:StartQuery":

The actions in your policy do not support resource-level permissions and require you to choose All resources

Specify log-group resource ARN for the StartQuery and 1 more action

jordanm
  • 33,009
  • 7
  • 61
  • 76
Stark
  • 336
  • 1
  • 3
  • 14
  • 3
    Your policy only grants permission to `/aws/lambda/cron-runner-production:*` but the query is trying to use `/ecs/production:*` – jordanm Jul 24 '22 at 16:22

1 Answers1

1

I believe you need to divide your policy into 2 statements since GetQueryResults does not have any resource types as indicated here in AWS Documentation. Therefore you would use "*" only for GetQueryResults. So I think this would work instead:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "statement1",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:StartQuery",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:012345678901:log-group:*:log-stream:*",
                "arn:aws:logs:*:012345678901:log-group:*"
            ]
        },
        {
            "Sid": "statement2",
            "Effect": "Allow",
            "Action": "logs:GetQueryResults",
            "Resource": "*"
        }
    ]
}
Aslan Brooke
  • 497
  • 2
  • 8