I am getting an error when I try to start aws query using python boto3
Error message:
There was an error in error_handler: An error occurred (AccessDeniedException) whencalling the StartQuery operation: User: arn:aws:sts::#########:assumed-role/cron-runner-production/ is not authorized to perform: logs:StartQuery on resource: arn:aws:logs:##-####-#:#########:log-group:/ecs/production:log-stream: because no identity-based policy allows the logs:StartQuery action
However, I added allowing policies:
statement {
effect = "Allow"
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:StartQuery",
"logs:GetQueryResults"
],
"Resource": "arn:aws:logs:##-####-#:#########:log-group:/aws/lambda/cron-runner-production:*"
]
}
Python code:
boto3_client = boto3.client('logs')
query_id = boto3_client.start_query(
logGroupName=log_group,
startTime=int((datetime.today() - timedelta(minutes=5)).timestamp()),
endTime=int(datetime.now().timestamp()),
queryString=query,
).get('queryId')
Also I getting warnings in AWS web console about "logs:StartQuery":
The actions in your policy do not support resource-level permissions and require you to choose All resources
Specify log-group resource ARN for the StartQuery and 1 more action
I believe you need to divide your policy into 2 statements since GetQueryResults does not have any resource types as indicated here in AWS Documentation. Therefore you would use "*" only for GetQueryResults. So I think this would work instead:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:StartQuery",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:012345678901:log-group:*:log-stream:*",
"arn:aws:logs:*:012345678901:log-group:*"
]
},
{
"Sid": "statement2",
"Effect": "Allow",
"Action": "logs:GetQueryResults",
"Resource": "*"
}
]
}