Missing permission logs:describeloggroups

[plumdog]

Expected Behavior

When using the role created in https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml, expect that all Datadog AWS integrations work report as working from within Datadog.

Actual Behavior

Amazon Lambda integration reports as "! Broken", and tells me: "Datadog is not authorized to perform action logs:describeloggroups". All other integrations report as working, and based on my investigation are indeed working fine. I'm not sure what functionality is impacted by this missing permission.

And, indeed:

$ aws iam get-role-policy --role-name DatadogIntegrationRole --policy-name DatadogAWSIntegrationPolicy | jq -r '.PolicyDocument.Statement[0].Action[]' | grep logs
logs:TestMetricFilter
logs:PutSubscriptionFilter
logs:DeleteSubscriptionFilter
logs:DescribeSubscriptionFilters

Steps to Reproduce the Problem

Apply the Cloudformation stack https://github.com/DataDog/cloudformation-template/blob/master/aws/datadog_integration_role.yaml, complete integration with Datadog, review integrations within Datadog.

Specifications

Unclear. Are they versioned?

[plumdog]

Closing, see https://github.com/DataDog/cloudformation-template/pull/21#issuecomment-832703521

[winjer]

Hi there,

I've got a !Broken panel for Amazon Lambda showing in my integrations, and it looks to be because of this issue.

I don't really mind if this permission is not required, but I do mind that I have something on the dashboard showing as Broken when it is not broken.

How do I stop this looking broken?

[b4stien]

2.5 years later, I concur: we get a big red warning because of this.