[英]Aws IAM group: Setup readonly access on log group on Terraform
有人知道如何设置对特定日志组的只读访问吗?
resource "aws_iam_policy" "logs" {
name = "AWSLogs${title(var.product)}"
description = "Logging policy for ${title(var.product)}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Get*",
"logs:List*",
"logs:Filter*"
],
"Resource": [
"arn:aws:logs:::log-group:${aws_cloudwatch_log_group.one.arn}:log-stream:*",
"arn:aws:logs:::log-group:${aws_cloudwatch_log_group.two.arn}:log-stream:*",
"arn:aws:logs:::log-group:${aws_cloudwatch_log_group.three.arn}:log-stream:*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_group_policy_attachment" "logs" {
group = "${aws_iam_group.logs.name}"
policy_arn = "${aws_iam_policy.logs.arn}"
}
resource "aws_iam_group" "logs" {
name = "${title(var.product)}Logs"
}
我目前正在努力设置为只能访问指定的日志组,但我只能在将资源设置为“*”时才能访问它们。 当我将其设置为专用于预定义日志组时,这是不可能的。 有人有好的做法或解决方案吗? 当我尝试上面的这个解决方案时,我只得到
未授权执行:logs:FilterLogEvents,当我尝试通过属于 IAM 组“logs”的用户访问它时。
aws_cloudwatch_log_group.one.arn
已经是one
日志组的完整ARN,即
阿尔恩:AWS:日志:美东1:123456789012:登录组:一个
因此,仅参考“ Resources
列表中的内容:
resource "aws_iam_policy" "logs" {
name = "AWSLogs${title(var.product)}"
description = "Logging policy for ${title(var.product)}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Get*",
"logs:List*",
"logs:Filter*"
],
"Resource": [
"${aws_cloudwatch_log_group.one.arn}:log-stream:*",
"${aws_cloudwatch_log_group.two.arn}:log-stream:*",
"${aws_cloudwatch_log_group.three.arn}:log-stream:*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": "*"
}
]
}
EOF
}
我能够通过向语句添加按标签过滤条件并确保日志组和流被相应标记来解决这个问题:
"Condition": {
"StringEquals": {
"aws:ResourceTag/sometagname": "sometagvalue"
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.