AWS CloudWatch使用EC2实例配置文件进行跨账户记录

时间:2018-02-12 23:44:55

标签: amazon-web-services amazon-iam amazon-cloudwatch

当我最初设置CloudWatch时,我创建了一个EC2实例配置文件,以自动授予对该帐户自己的CloudWatch服务进行写入的访问权限。现在,我想将几​​个帐户的日志合并到一个中央帐户。

我想实现一个基于Centralized Logging on AWS的简化架构。但是,这些日志将提供内部部署的ELK堆栈,因此我只是尝试实现红色概述的组件。我想在不使用Kinesis的情况下解决这个问题。

simplified central logging on aws

CloudWatch Agent(CWAgent)不支持假设某个角色,或者我无法理解如何制作EC2实例配置文件以允许CWAgent在其他帐户中担任角色。

记录目标(AWS账户111111111111)

IAM LogStreamerRole:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::999999999999:role/EC2CloudWatchLoggerRole"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}

记录来源(AWS账户999999999999)

IAM实例配置文件角色:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::111111111111:role/LogStreamerRole"
        }
    ]
}

CWAgent产生以下错误:

/opt/aws/amazon-cloudwatch-agent/logs/amazon-cloudwatch-agent.log:
2018-02-12T23:27:43Z E! CreateLogStream / CreateLogGroup with log group name Linux/var/log/messages stream name i-123456789abcdef has errors. Will retry the request: AccessDeniedException: User: arn:aws:sts::999999999999:assumed-role/EC2CloudWatchLoggerRole/i-123456789abcdef is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:us-west-2:999999999999:log-group:Linux/var/log/messages:log-stream:i-123456789abcdef
    status code: 400, request id: 53271811-1234-11e8-afe1-a3c56071215e

它仍在尝试写入自己的CloudWatch服务,而不是写入中央CloudWatch服务。

1 个答案:

答案 0 :(得分:0)

从日志中,我看到使用了实例配置文件。

  

ARN:AWS:STS :: 999999999999:假定角色/ EC2CloudWatchLoggerRole / I-123456789abcdef

只需将以下内容添加到/etc/awslogs/awscli.conf即可承担LogStreamerRole角色。

role_arn = arn:aws:iam :: 111111111111:role / LogStreamerRole credential_source = Ec2InstanceMetadata

相关问题
最新问题