Closed zaro0508 closed 2 years ago
kichik
commented
2 years ago Subscriber is the custom resource used to subscribe the logs to Kinesis. The easiest way to debug it is to create the stack with the setting to not delete on failure. Then find the Lambda it created and check its logs. The log will probably also remain even without this setting. It's just easier to find with this setting.
zaro0508
commented
2 years ago thanks for the tip @kichik. i see the error in the logs..
Subscribe to all new log groups on resource Create
--
Finding all log groups with prefix '/aws/vpn'
Subscribe /aws/vpn/sagebase-client-vpn
Caught exception but unable to print stack trace
An error occurred (AccessDeniedException) when calling the PutSubscriptionFilter
operation: User with accountId: XXXXXXX7719 is not authorized to perform: logs:PutSubscriptionFilter
on resource: arn:aws:logs:us-east-1:XXXXXXX6444:destination:BucketBackupLogDestinationit looks like the account (XXXXXXX7719) we deployed the CloudWatch2S3-additional-account template to does not have access to the kinesis stream in our central logging account ( XXXXXXX6444).
kichik
commented
2 years ago You should be able to give it access by setting the AllowedAccounts parameter on the main stack.
zaro0508
commented
2 years ago thanks @kichik. setting AllowedAccounts fixed the problem.
We are able to deploy
arn:aws:serverlessrepo:us-east-1:859319237877:applications/CloudWatch2S3from the serverless repo without error. However when we attempt to deployarn:aws:serverlessrepo:us-east-1:859319237877:applications/CloudWatch2S3-additional-accountwe get the following error..Our parameter inputs for CloudWatch2S3-additional-account template are:
We are using SemanticVersion 1.0.5. The failure message makes it difficult to debug. Has anyone seen this problem before?