Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(synthetics): canary permissions for cloudwatch logging are malformed #18910

Closed
wilhen01 opened this issue Feb 10, 2022 · 2 comments · Fixed by #18946
Closed

(synthetics): canary permissions for cloudwatch logging are malformed #18910

wilhen01 opened this issue Feb 10, 2022 · 2 comments · Fixed by #18946
Assignees
@kaizencc
Labels
@aws-cdk/aws-synthetics Related to Amazon CloudWatch Synthetics bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@wilhen01
Copy link
Contributor

wilhen01 commented Feb 10, 2022
edited
Loading

What is the problem?

When creating a canary using @aws-cdk/aws-synthetics-alpha version 2.10.0-alpha.0 and using the default role creation, the permissions allow the canary to run but it doesn't create logs in CloudWatch. I've traced this to the policy that is created around logging, which is generated as follows:

       {
            "Action": [
                "logs:CreateLogStream",
                "logs:CreateLogGroup",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:::*",
            "Effect": "Allow"
        }

The Resource element is missing a region. It can be rectified by adding a more specific policy statement to the cdk code e.g.

    canary.role.addToPrincipalPolicy(
      new PolicyStatement({
        resources: [`arn:aws:logs:eu-west-1:${account ?? ''}:*`],
        actions: ['logs:CreateLogStream', 'logs:CreateLogGroup', 'logs:PutLogEvents'],
      })
    );

Reproduction Steps

   const canary = new Canary(this, id, {
      canaryName: 'Canary',
      schedule: Schedule.rate(Duration.minutes(1)),
      test: Test.custom({
        code: synthetics.Code.fromAsset(path.join(__dirname, 'canary')),
        handler: 'index.handler',
      }),
      runtime: Runtime.SYNTHETICS_NODEJS_PUPPETEER_3_3,
    });

What did you expect to happen?

Canary can create and write to CloudWatch logs with default role permissions

What actually happened?

Canary cannot create or write to CloudWatch logs with default role permissions

CDK CLI Version

2.10.0 (build e5b301f)

Framework Version

No response

Node.js Version

v14.15.5

OS

Mac OS / CodeBuild (same results locally and on CI)

Language

Typescript

Language Version

Typescript (4.2.4)

Other information

No response
@wilhen01 wilhen01 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 10, 2022
@github-actions github-actions bot added the @aws-cdk/aws-synthetics Related to Amazon CloudWatch Synthetics label Feb 10, 2022
@kaizencc kaizencc added effort/small Small work item – less than a day of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Feb 11, 2022
@kaizencc
Copy link
Contributor

Thanks for the report, @wilhen01! This looks like a long-standing bug. Happy to get a fix in momentarily.

@kaizencc kaizencc mentioned this issue Feb 11, 2022
Merged
@mergify mergify bot closed this as completed in #18946 Feb 14, 2022
mergify bot pushed a commit that referenced this issue Feb 14, 2022
@kaizencc
fix(synthetics): generated role has incorrect permissions for cloudwa…
f8bb85f 
…tch logs (#18946)

The generated role did not have the correct permissions to create cloudwatch logs, so even if the canary successfully deployed and ran, no cloudwatch streams were generated for the resource. This seems to be a long-standing bug in the synthetics module. What was missing was the region and account id, which should be the same region/account as the created canary.

Fixes #18910.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@kaizencc @TikiTDO
fix(synthetics): generated role has incorrect permissions for cloudwa…
625b30a 
…tch logs (aws#18946)

The generated role did not have the correct permissions to create cloudwatch logs, so even if the canary successfully deployed and ran, no cloudwatch streams were generated for the resource. This seems to be a long-standing bug in the synthetics module. What was missing was the region and account id, which should be the same region/account as the created canary.

Fixes aws#18910.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kaizencc kaizencc

Labels
@aws-cdk/aws-synthetics Related to Amazon CloudWatch Synthetics bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(synthetics): generated role has incorrect permissions for cloudwatch logs aws/aws-cdk
2 participants
@wilhen01 @kaizencc