本文介绍了CloudWatch Logs代理无法承担将日志发送到其他帐户的角色的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有2个AWS帐户。


  • 帐户A:具有Amazon的awslogs客户端的EC2实例

  • 帐户B:集中日志记录帐户

  • Account A: EC2 instances with awslogs client from amazon
  • Account B: Centralized logging account

我要发送日志从使用awslogs客户端(帐户A )的EC2实例从一个帐户到另一个帐户(帐户B )中的CloudWatch Logs。

I want to send logs from the EC2 instance with awslogs client (in account A) from one account to CloudWatch Logs in an another account (account B).

通过在帐户B中创建IAM用户并在 awscli.conf 中设置AWS凭证密钥,可以很好地工作,但我不希望对密钥进行硬编码,因此我尝试扮演以下角色:

It works fine by creating an IAM user in Account B and setting up the AWS credential key in awscli.conf, but I do not want keys to be hardcoded, so I'm trying to assume role as follows:

IAM在帐户B(CloudWatch帐户)中的角色角色名称 CloudWatchCrossRole

IAM Role in Account B (the CloudWatch account), I created a role name CloudWatchCrossRole:

内联策略(允许该角色将日志写入CloudWatch Logs):

Inline policy (allow this role to write logs to CloudWatch Logs):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

信任政策:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_A:role/CLoudWatchInstanceProfile"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

在帐户A中,我使用配置文件 CLoudWatchInstanceProfile 启动一个EC2实例,该配置文件如下所示:

In Account A, I start an EC2 instance with the profile CLoudWatchInstanceProfile that looks as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ACCOUNT_B:role/CloudWatchCrossRole"
        }
    ]
}

不高兴,日志被推送到ACCOUNT_A而不是ACCOUNT_B。谁能给我提示CloudWatch Logs上的AssumeRole是否可能,还是必须创建一个IAM用户并在 awscli.conf 中对凭据进行硬编码?

No joy, the logs are pushed to ACCOUNT_A instead of ACCOUNT_B. Can anyone give me hint whether AssumeRole on CloudWatch Logs is possible or if it is mandatory to create an IAM user and hardcode the credentials in awscli.conf?

推荐答案

此方法有两个问题。

首先,什么都没有调用 AssumeRole 帐户B中的角色。CloudWatchLogs代理期望凭据,而不是角色。

First, nothing is calling AssumeRole on the role in Account B. The CloudWatch Logs agent is expecting credentials, not a role.

第二,实例配置文件

我也找不到任何文档来说明如何在 awscli.conf中插入凭据

Nor could I find any documentation to show how to insert credentials in the awscli.conf file you mentioned (can you show a sample)?

几个选项:


  • 在帐户B中创建一个用户,并将生成的访问/保密密钥提供给CloudWatch Logs代理(您似乎已经完成,但不喜欢),或者

  • 在针对角色调用 AssumeRole 的实例上运行一个进程在帐户B中,然后将这些凭据提供给CloudWatch Logs代理

  • Create a User in Account B and provide the resulting Access/Secret key to the CloudWatch Logs agent (as you seem to have done, but don't like), or
  • Have a process run on the instance that calls AssumeRole against the role in Account B, then provide those credentials to the CloudWatch Logs agent

如果您已订阅AWS Support,请打开一个支持案例以请求指导。

If you are subscribed to AWS Support, open a support case to request guidance.

这篇关于CloudWatch Logs代理无法承担将日志发送到其他帐户的角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-01 20:02