### Describe the question/issue
- Issue 1
Fluent bit logs show error `AccessDeniedException` because it tries to create a log group that it is not allowed / is not configured:
```
time="2024-06-13T18:48:52Z" level=error msg="AccessDeniedException: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/fluentbit-task-role/xxxxxxx is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:us-east-1:xxxxxxxxxxxx:log-group:fluent-bit-cloudwatch:log-stream: because no identity-based policy allows the logs:CreateLogGroup action\n\tstatus code: 400, request id: xxxxxxxx"
```
However, our output plugin setting is:
```
[OUTPUT]
Name cloudwatch_logs
Match *
region ca-central-1
log_group_name testname
log_stream_name teststream
auto_create_group false
Retry_Limit no_limits
```
During fluent-bit startup we see following logs:
```
[2024/06/13 19:22:22] [ info] cloudwatch.0
...
time="2024-06-13T19:22:22Z" level=info msg="[cloudwatch 0] plugin parameter auto_create_stream = 'true'"
time="2024-06-13T19:22:22Z" level=info msg="[cloudwatch 0] plugin parameter auto_create_group = 'true'"
...
time="2024-06-13T19:22:22Z" level=info msg="[cloudwatch 0] plugin parameter region = 'us-east-1'"
...
time="2024-06-13T19:22:22Z" level=info msg="[cloudwatch 0] plugin parameter default_log_group_name = 'fluentbit-default'"
time="2024-06-13T19:22:22Z" level=info msg="[cloudwatch 0] plugin parameter log_group_name = 'fluent-bit-cloudwatch'"
```
Our configuration only uses the newer `cloudwatch_logs` plugin. We do not specify or use the `cloudwatch` plugin.
It seems that the `cloudwatch` plugin is being used for some reason as well, even though it is not being specified by us. It is using some config that specifies `us-east-1` region and `fluent-bit-cloudwatch` log group, as shown in the logs. This then causes the denied exception error.
In regards to our specified `cloudwatch_logs` plugin - we are seeing logs written to the specified log group / log stream correctly.
- Issue 2
As shown above in the output config, we set the `Retry_Limit` to `no_limits`.
However, logs show:
```
[2024/06/13 19:31:07] [ warn] [engine] chunk '1-1718307049.471694794.flb' cannot be retried: task_id=0, input=syslog.1 > output=cloudwatch.0
[2024/06/13 19:31:07] [debug] [task] task_id=0 reached retry-attempts limit 1/1
```
Earlier startup logs show:
```
[2024/06/13 19:30:50] [debug] [output:cloudwatch_logs:cloudwatch_logs.1] task_id=0 assigned to thread #0
```
It's not completely clear to me whether the `task_id=0 reached retry-attempts limit 1/1` is referencing `cloudwatch_logs` plugin. If so, then why is it not respecting our `Retry_Limit no_limits` setting? (We've also tried different settings, e.g. `5` instead of `no_limits`). Or is the `task_id=0 reached retry-attempts limit 1/1` related to the previous error line that references `cloudwatch.0`, which means that it is also related to our mysterious `cloudwatch` plugin.
### Configuration
ECS Config:
Fluent Bit Log Output
See above.
Fluent Bit Version Info
Container:
aws-for-fluent-bit:init-latest
Fluent-bit version: Fluent Bit v1.9.10Cluster Details
Application Details
Steps to reproduce issue
Related Issues