当我 stream 多个 cloudwatch 日志组到一个 lambda 时,如何增加策略限制?
[英]How can I increase the policy limits when I stream multiple cloudwatch log group to one lambda?
问题描述
I have setup a lambda function to be triggered by many cloudwatch log groups.
我已经设置了一个 lambda function 被许多 cloudwatch 日志组触发。 In order to do that, I added the invoke function permission on log group aws lambda add-permission and add subscription as lambda as destination aws logs put-subscription-filter .为此,我在日志组aws lambda add-permission权限上添加了调用 function 权限,并将订阅添加为 lambda 作为目标aws logs put-subscription-filter 。 There are hundreds of log groups I need to stream to one lambda which makes the lambda trigger policy very big.有数百个日志组我需要 stream 到一个 lambda 这使得 lambda 触发策略非常大。
There two commands in this flow aws lambda add-permission and aws logs put-subscription-filter .此流程中有两个命令aws lambda add-permission和aws logs put-subscription-filter 。 I need to run these two commands per each log group.我需要为每个日志组运行这两个命令。 I added 46 cloudwath log groups as trigger for the lambda but when adding the 47th I got an error.我添加了 46 个 cloudwath 日志组作为 lambda 的触发器,但是在添加第 47 个时出现错误。
The error I got was this command:我得到的错误是这个命令:
aws lambda add-permission --function-name $AGGREGATOR_NAME \
--statement-id add-permission-$lambdaName --action lambda:InvokeFunction \
--principal logs.ap-southeast-2.amazonaws.com \
--source-arn $logArn
An error occurred (PolicyLengthExceededException) when calling the AddPermission operation: The final policy size (20623) is bigger than the limit (20480).
arn:aws:logs:ap-southeast-2:***
Is there a way to get around of that?有没有办法解决这个问题? Is this a right way to stream hundreds of log groups to one lambda?这是将数百个日志组 stream 到一个 lambda 的正确方法吗?
I have tried to use wildcard in the command but got a validation error.我尝试在命令中使用wildcard ,但出现验证错误。
aws lambda add-permission --function-name $AGGREGATOR_NAME --statement-id $ID --action lambda:InvokeFunction --principal logs.ap-southeast-2.amazonaws.com --source-arn "arn:aws:logs:*:*:log-group:/aws/lambda/hello*:*"
An error occurred (ValidationException) when calling the AddPermission operation: 1 validation error detected: Value 'arn:aws:logs:*:*:log-group:/aws/lambda/hello*:*' at 'sourceArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\-])+:([a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\d{1})?:(\d{12})?:(.*)
1 个解决方案
解决方案1
0 已采纳 2020-09-21 23:58:04
A way to get around of this is to utilize wildcard in --source-arn .解决这个问题的一种方法是在--source-arn中使用通配符。 By doing this, you don't need one lambda resource-based policy for each CloudWatch log group.通过这样做,您不需要为每个 CloudWatch 日志组制定一个 lambda 基于资源的策略。 Of course, the simplest way is to allow all log groups to execute lambda:InvokeFunction .当然,最简单的方法就是让所有的日志组都执行lambda:InvokeFunction 。 In this case, you just need在这种情况下,你只需要
aws lambda add-permission --function-name $AGGREGATOR_NAME \
--statement-id add-permission-$lambdaName --action lambda:InvokeFunction \
--principal logs.ap-southeast-2.amazonaws.com
Notice that the --source-arn is removed.请注意, --source-arn已被删除。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.