Getting errors on LogGroups

I am getting similar errors surrounding LogGroup, and have gotten like 5 errors, another one keeps popping up. Can someone tell me all of the logs to check on in my policy file? Currently I have the following code:

"Statement":[
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents",
                "logs:DeleteRequestLogGroup",
                "logs:UpdateRequestLogGroup"
            ],
            "Resource": "arn:aws:logs:us-east-1:*:*",
            "Effect": "Allow"
        }

The error I am getting is the following:

An error occurred while provisioning your stack: GetApproverRequestsLogGroup
- User: arn:aws:iam::XXXXXXXXX:user/todd is not authorized
to perform: logs:DescribeLogGroups on resource: arn:aws:logs:us-east-1:XXXXXXXXX:log-group::log-stream:
Thanks in advance, I keep giving my aws guy the new codes, but there must be a place that tells me all of the groups to account for in the action array?

1 Like

As mentioned in the text, you’re missing logs:DescribeLogGroups permission in your Actions list - you have logs:DescribeLogStreams, but not ...Groups. This is why the documentation still recommends Administrator access.

Also, please remove your AWS account ID when sharing snippets :wink:

First of all, thanks for your reply. I understand why Administrative Access is recommended. My question was more to find out how to cover all the bases for the logGroups. I tried “*” and it didn’t work. I ended up just adding more and more logGroups until the errors went away. And then I got the following error:

An error occurred while provisioning your stack: ListRequestLogGroup

  • /aws/lambda/requests-dev-listRequest already exists.

It is really difficult to debug the errors that come up with the already exists and LogGroup errors because they are not well documented when you run into them.

The quickest/easiest/surest way to fix the new error message is to remove the service, and re-deploy it from scratch.

There are other ways to get around the error (if you can’t afford to remove the stack) but they get tricky (for exactly the reasons you mentioned). Search the forum for “loggroup” to see some approaches.

Thanks for the help. I was able to get rid of all errors. I did have to do a lot of renaming of elements, mostly my database tables. Anyway, thanks for the help. I wished our company could just give admin access, but I understand there are a lot of reasons for not giving that control.

1 Like