Minimum IAM policy needed to forward logs to Amazon CloudWatch from OCP
Environment
- OpenShift Container Platform (RHOCP)
- 4
- Red Hat OpenShift Service on AWS (ROSA)
- 4
- Red Hat OpenShift Logging
- 5
Issue
- What is the minimum AWS IAM policy set for forwarding logs to CloudWatch due to security policy?
Resolution
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
Note: For ROSA clusters with AWS STS, please refer to using the CloudWatch Logging add-on with ROSA STS Clusters.
Forwarding logs to Amazon CloudWatch of Red Hat OpenShift Logging depends on fluent-plugin-cloudwatch-logs plug-in.
The fluent-plugin-cloudwatch-logs plug-in provides restricted IAM policy set as follows. Refer fluent-plugin-cloudwatch-logs - Preparation for more details.
More restricted IAM policy for out_cloudwatch_logs is:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:PutLogEvents",
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Root Cause
CloudWatch depends on fluent-plugin-cloudwatch-logs plug-in, in other words, requirements of the fluent-plugin-cloudwatch-logs plug-in for IAM policy is basically the same with OpenShift Logging ones.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments