Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log Analytics Pipeline: Unable to deploy cross account lambda pipelines #227

Closed
megasarl opened this issue Dec 7, 2023 · 5 comments
Closed

Log Analytics Pipeline: Unable to deploy cross account lambda pipelines #227

megasarl opened this issue Dec 7, 2023 · 5 comments
Assignees
@wchaws
Labels
bug Something isn't working

Comments

@megasarl
Copy link

megasarl commented Dec 7, 2023

Describe the bug

All attemtps to setup a Log Pipeline between two AWS accounts in EU-West-1 fails the cloud formation creation with message "(AccessDeniedException) when calling the PutSubscriptionFilter operation".

Expected Behavior

The log pipeline should setup all resources including the permissions and reach a success state in the Centralized Logging with OpenSearch UI

Current Behavior

When using the UI to deploy a cross account Lambda collection the stack ends up in a rollback state with the error being:

Received response status [FAILED] from custom resource. Message returned: Error: An error occurred (AccessDeniedException) when calling the PutSubscriptionFilter operation: User with accountId: #memberAccountID# is not authorized to perform PutSubscriptionFilter on resources arn:aws:logs:eu-west-1:#AccountID#:destination:CL-SvcPipe-a6308ec8-CL-SvcPipe-a6308ec8-CWtoFirehosetoS3StackDeliverySt-s9cKxt4GDgIW. Logs: /aws/lambda/CL-SvcPipe-a6308ec8-CWtoFirehosetoS3StackcwSubFilt-Y6nTxnoIOTsb at invokeUserFunction (/var/task/framework.js:2:6) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async onEvent (/var/task/framework.js:1:369) at async Runtime.handler (/var/task/cfn-response.js:1:1573) (RequestId: 853b8fcd-641f-41c2-8ce0-14b8c8f26474)

Following the troubleshooting guide for an earlier version for the exact error message indicates the correct values
https://docs.aws.amazon.com/solutions/latest/centralized-logging-on-aws/troubleshooting.html

aws logs describe-destinations --region eu-west-1 { "destinations": [ { "destinationName": "CL-SvcPipe-a6308ec8-CL-SvcPipe-a6308ec8-CWtoFirehosetoS3StackDeliverySt-s9cKxt4GDgIW", "targetArn": "arn:aws:firehose:eu-west-1:#AccountID#:deliverystream/CL-SvcPipe-a6308ec8-CWtoFirehosetoS3StackDeliverySt-s9cKxt4GDgIW", "roleArn": "arn:aws:iam::#AccountID#:role/CL-SvcPipe-a6308ec8-CWtoFirehosetoS3StackCWDestinat-Zf9fjlcsykyR", "accessPolicy": "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Sid\": \"\", \"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"#memberAccountID# \"}, \"Action\": \"logs:PutSubscriptionFilter\", \"Resource\": \"arn:aws:logs:eu-west-1:#AccountID#:destination:CL-SvcPipe-a6308ec8-CL-SvcPipe-a6308ec8-CWtoFirehosetoS3StackDeliverySt-s9cKxt4GDgIW\"}]}", "arn": "arn:aws:logs:eu-west-1:#AccountID#:destination:CL-SvcPipe-a6308ec8-CL-SvcPipe-a6308ec8-CWtoFirehosetoS3StackDeliverySt-s9cKxt4GDgIW", "creationTime": 1701945178823 } ] }
(redacted the account IDs in the logs above with #memberAccountID# , #AccountID#)

Reproduction Steps

Setup "Centralized Logging with OpenSearch" in one account togeather with Opensearch and connect a member account via the UI.
Try to create a aws-service-log pipeline for a lambda in the remote account and it should result in an error

Possible Solution

No response

Additional Information/Context

a similar earlier setup has been deployed on two other account with 2.0.0 without the issue

Solution Version

2.1.1

AWS Region. e.g., us-east-1

eu-west-1

Other information

No response
@megasarl megasarl added the bug Something isn't working label Dec 7, 2023
@megasarl megasarl changed the title (Log Analytics Pipeline): Unable to deploy cross account lambda pipelines Log Analytics Pipeline: Unable to deploy cross account lambda pipelines Dec 7, 2023
@wchaws
Copy link
Contributor

wchaws commented Dec 11, 2023
edited
Loading

A quick workaround:

  1. Go to member account
  2. Find a role name which looks like CrossAccountRoleFACE29D1
  3. Add an extra resource id ("arn:aws:logs:*:<parent-account-id>:destination:*")as follow:
    image

It seems that AWS services get updated. The above policy resource is not needed before.

@megasarl
Copy link
Author

Workaround confirmed, seams to work as expected when adding this resource to the IAM Role

@StanForever
Copy link

Can confirm. The workaround is working.

@debashish1976
Copy link

Is there any update to this issue? I faced this issue multiple times and had resolve it with help of AWS Support. If we can update the CloudFormation template to be run on member account, then it will resolve it once and for all.

@JoeShi
Copy link
Contributor

JoeShi commented Mar 5, 2024

Is there any update to this issue? I faced this issue multiple times and had resolve it with help of AWS Support. If we can update the CloudFormation template to be run on member account, then it will resolve it once and for all.

OK. We will release a patch version as soon as possbile.

owenCCY pushed a commit to owenCCY/centralized-logging-with-opensearch that referenced this issue Mar 16, 2024
fix: fix github issues aws-solutions#227.
b298bbb
owenCCY pushed a commit to owenCCY/centralized-logging-with-opensearch that referenced this issue Mar 16, 2024
fix: fix github issues aws-solutions#227.
6ddb765
This was referenced Mar 17, 2024
Closed
Merged
@evalzy evalzy closed this as completed Mar 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wchaws wchaws

Labels
bug Something isn't working
Projects
Centralized Logging with OpenSearch Roadmap
Status: v2.1.X (Nov. 2023)
Milestone
No milestone
Development

No branches or pull requests
6 participants
@JoeShi @debashish1976 @StanForever @wchaws @megasarl @evalzy