InvalidParameterException：请确保 CreateExportTask 调用方已被授予 s3:PutObject 对存储桶的访问权限

发布于 2025-01-12 22:31:41 字数 810 浏览 0 评论 0原文

我正在尝试创建一个计划的 Lambda，它将调用 cloudwatch“createExportTask”函数将日志从帐户 A（包含日志，即源）导出到帐户 B（其中包含 S3 存储桶，即目标）

但是，我收到错误为

InvalidParameterException: Please ensure that the CreateExportTask caller has been granted s3:PutObject access to the bucket.

我不确定问题是否与“createExportTask”函数中对 S3 访问的参数有关。请参阅错误部分 - https://docs.aws.amazon.com/ AmazonCloudWatchLogs/latest/APIReference/API_CreateExportTask.html

我尝试手动导出任务，它工作正常。
我尝试在同一帐户中通过 lambda 导出任务，它工作正常。
我已在账户 B（目标账户）中创建了 IAM 角色，具有 s3 写入权限并与账户 A（源账户）建立信任关系
我已将在账户 B（目标账户）中创建的 IAM 的代入角色权限授予 Lambda 执行角色 IAM 角色在账户 A（源账户）中

，如果您需要 IAM 角色和信任关系详细信息，请告诉我。

原文

I am trying to create a Scheduled Lambda which will call cloudwatch "createExportTask" function to export logs from Account A (which contains the logs i.e. source) to Account B (which contains the S3 Bucket i.e. destination)

However, I am getting the error as

InvalidParameterException: Please ensure that the CreateExportTask caller has been granted s3:PutObject access to the bucket.

I am not sure whether the issue is with the parameters in the "createExportTask" function to S3 access.
Refer Error Section - https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateExportTask.html

I tried to export task manually, It works correctly.
I tried to export task via lambda in same account, It works correctly.
I have created an IAM role in account B(destination account) with s3 write permission and trust relationship with account A(source account)
I have given assume role permission for the IAM created in account B(destination account) to Lambda Execution Role IAM role in account A(source account)

Let me know, if you need IAM roles and trust relationship details.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

以为你会在 2025-01-19 22:31:41

回复得很晚，但仍然..

我认为您唯一错过的部分就是 S3 存储桶上正确的权限策略。

正如 AWS 指南所述（该指南适用于CLI（但对于这部分是等效的），您需要将如下所示的策略直接附加到 S3 存储桶：

{
    "Version": "2012-10-17",
    "Statement": [
      {
          "Action": "s3:GetBucketAcl",
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::my-exported-logs",
          "Principal": { "Service": "logs.Region.amazonaws.com" },
          "Condition": {
            "StringEquals": {
                "aws:SourceAccount": [
                    "AccountId1",
                    "AccountId2",
                    ...
                ]
            },
            "ArnLike": {
                    "aws:SourceArn": [
                        "arn:aws:logs:Region:AccountId1:log-group:*",
                        "arn:aws:logs:Region:AccountId2:log-group:*",
                        ...
                     ]
            }
          }
      },
      {
          "Action": "s3:PutObject" ,
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::my-exported-logs/*",
          "Principal": { "Service": "logs.Region.amazonaws.com" },
          "Condition": {
            "StringEquals": {
                "s3:x-amz-acl": "bucket-owner-full-control",
                "aws:SourceAccount": [
                    "AccountId1",
                    "AccountId2",
                    ...
                ]
            },
            "ArnLike": {
                    "aws:SourceArn": [
                        "arn:aws:logs:Region:AccountId1:log-group:*",
                        "arn:aws:logs:Region:AccountId2:log-group:*",
                        ...
                    ]
            }
          }
      }
    ]
}

Quite late in response but still..

I think the only part you miss is just the proper permissions policy on S3 bucket.

As the AWS guide says (the guide is for CLI but for this part is equivalent), you need to attach a policy like the following directly to the S3 bucket:

{
    "Version": "2012-10-17",
    "Statement": [
      {
          "Action": "s3:GetBucketAcl",
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::my-exported-logs",
          "Principal": { "Service": "logs.Region.amazonaws.com" },
          "Condition": {
            "StringEquals": {
                "aws:SourceAccount": [
                    "AccountId1",
                    "AccountId2",
                    ...
                ]
            },
            "ArnLike": {
                    "aws:SourceArn": [
                        "arn:aws:logs:Region:AccountId1:log-group:*",
                        "arn:aws:logs:Region:AccountId2:log-group:*",
                        ...
                     ]
            }
          }
      },
      {
          "Action": "s3:PutObject" ,
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::my-exported-logs/*",
          "Principal": { "Service": "logs.Region.amazonaws.com" },
          "Condition": {
            "StringEquals": {
                "s3:x-amz-acl": "bucket-owner-full-control",
                "aws:SourceAccount": [
                    "AccountId1",
                    "AccountId2",
                    ...
                ]
            },
            "ArnLike": {
                    "aws:SourceArn": [
                        "arn:aws:logs:Region:AccountId1:log-group:*",
                        "arn:aws:logs:Region:AccountId2:log-group:*",
                        ...
                    ]
            }
          }
      }
    ]
}

回复收藏 0 原文

~没有更多了~