I'm getting an access denied message when trying to run route53resolver:AssociateResolverQueryLogConfig with the SDK from an AWS Lambda.
I've been setting the necessary policies in the role as the access denied erros where showing up, but this last one doesn't specify which action is missing.
It logs a X-Ray Trace Id, I was able to find the trace but there are not any details about the error there.
This is the full error message:
{
"errorType": "AccessDeniedException",
"errorMessage": "[RSLVR-01600] Access denied Trace Id: \"1-63e29115-68ec2cb00f56b7e11f32490c\"",
"trace": [
"AccessDeniedException: [RSLVR-01600] Access denied Trace Id: \"1-63e29115-68ec2cb00f56b7e11f32490c\"",
" at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:52:27)",
" at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)",
" at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)",
" at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14)",
" at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)",
" at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)",
" at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10",
" at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)",
" at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12)",
" at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)"
]
}
This is my full Lambda code (nodejs):
const AWS = require("aws-sdk");
exports.handler = async (event) => {
const route53ResolverClient = new AWS.Route53Resolver();
const createResolverQueryLogConfigParams = {
DestinationArn: "arn:aws:logs:sa-east-1:############:log-group:querylog:*",
Name: "test-query-log"
};
const createResolverQueryLogConfigResponse = await route53ResolverClient.createResolverQueryLogConfig(createResolverQueryLogConfigParams).promise();
const associateResolverQueryLogConfigParams = {
ResolverQueryLogConfigId: createResolverQueryLogConfigResponse.ResolverQueryLogConfig.Id,
ResourceId: "vpc-#################"
};
await route53ResolverClient.associateResolverQueryLogConfig(associateResolverQueryLogConfigParams).promise();
};
These are the policies in my role:
// AWSLambdaBasicExecutionRolePolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:sa-east-1:############:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:sa-east-1:############:log-group:/aws/lambda/*:*"
]
}
]
}
// route53resolver
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53resolver:CreateResolverQueryLogConfig",
"route53resolver:AssociateResolverQueryLogConfig"
],
"Resource": "*"
}
]
}
// CloudWatchLogs (required for CreateResolverQueryLogConfig)
// initially it asked only for "logs:CreateLogDelivery" but then it asked permission for "logs:*" explicitly, really weird but I allowed it and it worked...
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:*",
"Resource": "*"
}
]
}
// IAM (required for CreateResolverQueryLogConfig even though I don't fully understand why)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*"
}
]
}
I found out what it was after a lot of trial and error.
You need permission for ec2:DescribeVpcs in order to run route53resolver:AssociateResolverQueryLogConfig.
Just added that to my role policies and it worked.