AWS Documentation leaves so much to be desired. I am sure it's 100% accurate, just cryptic to me. I just want to see why my global accelerator is not routing to my internal web server. There are three (!) ways to monitor this, and I'm trying to turn on the first one listed (which must be the most straightforward, right?)
Here is what I'm following: https://docs.aws.amazon.com/global-accelerator/latest/dg/monitoring-global-accelerator.flow-logs.html#monitoring-global-accelerator.flow-logs-publishing-S3
And it boils down to 3 steps:
Ok, I did 1 and 3. But 2? Three separate examples of IAM JSON files which should be applied to... ? Here is where I lose it.
What do I need to create in IAM?
Step 2a starts "An IAM principal, such as an IAM role or user, must have sufficient permissions to publish flow logs..."
What principal or user? Is this saying "we recommend you create a principal to do this"? I am happy to but the ambiguity makes my head ache.
Step 2b talks about "the user creating the flow log" Who is this? Who decides what user creates the logs? Is this the same principal or user as above?
I just want it to work. This is for one AWS account and I'm just trying to figure out why this accelerator is not working, unlike my others. That is the real problem. This log is a side-effect that I would prefer hot to have to do if AWS just could show accelerator activity by default.
The principal in step 2 is, referring to the paragraph To enable flow logs in AWS Global Accelerator:
the AWS user who is enabling the flow logs
So, in your case, it is the user that you will use to run the CLI command in step 3.