search

boto / botocore

The low-level, core functionality of boto3 and the AWS CLI.
Apache License 2.0
1.44k stars 1.06k forks source link

WAFV2 PutLoggingConfiguration raising AccessDeniedException without naming required permissions #3159

Closed LumaC0 closed 2 months ago

LumaC0 commented 2 months ago

Describe the bug

wafv2 = boto3.client('wafv2')
wafv2.put_logging_configuration(LoggingConfiguration={
    'ResourceArn': <arn>,
    'LogDestinationConfigs': [<arn>]
})

The above code fails when the WAF logging configuration doesn't already exist and the executing role allows wafv2:PutLoggingConfiguration in its permissions. The error:

ClientError: An error occurred (AccessDeniedException) when calling the PutLoggingConfiguration operation: You don't have the permissions that are required to perform this operation.

Could be more descriptive and tell me which permission is missing, like it does when wafv2:PutLoggingConfiguration is missing from the IAM policy.

Expected Behavior

wafv2 = boto3.client('wafv2')
wafv2.put_logging_configuration(LoggingConfiguration={
    'ResourceArn': <arn>,
    'LogDestinationConfigs': [<arn>]
})

Outputs:

ClientError: An error occurred (AccessDeniedException) when calling the PutLoggingConfiguration operation: The following IAM permissions are needed to perform this operation: [permission1, permission2, permission3]

Current Behavior

wafv2 = boto3.client('wafv2')
wafv2.put_logging_configuration(LoggingConfiguration={
    'ResourceArn': <arn>,
    'LogDestinationConfigs': [<arn>]
})

Raises:

----> 1 waf.put_logging_configuration(LoggingConfiguration={
      2 'ResourceArn': '<arn>',
      3 'LogDestinationConfigs': ['<arn>']})

File ~/.asdf/installs/python/3.11.7/lib/python3.11/site-packages/botocore/client.py:553, in ClientCreator._create_api_method.<locals>._api_call(self, *args, **kwargs)
    549     raise TypeError(
    550         f"{py_operation_name}() only accepts keyword arguments."
    551     )
    552 # The "self" in this scope is referring to the BaseClient.
--> 553 return self._make_api_call(operation_name, kwargs)

File ~/.asdf/installs/python/3.11.7/lib/python3.11/site-packages/botocore/client.py:1009, in BaseClient._make_api_call(self, operation_name, api_params)
   1005     error_code = error_info.get("QueryErrorCode") or error_info.get(
   1006         "Code"
   1007     )
   1008     error_class = self.exceptions.from_code(error_code)
-> 1009     raise error_class(parsed_response, operation_name)
   1010 else:
   1011     return parsed_response

ClientError: An error occurred (AccessDeniedException) when calling the PutLoggingConfiguration operation: You don't have the permissions that are required to perform this operation.

Reproduction Steps

  1. Create a web application firewall in from the console making sure to leave the logging configuration disabled. copy the ARN
  2. create an s3 bucket with the bucket name prefixed with aws-waf-logs-
  3. create a role or user and add allow wafv2:PutLoggingConfiguration in its IAM policy
  4. set credential envvars for the account and role/user created above
  5. run the following code filling in ARNs of the waf and bucket 
    
from boto3 import client

wafv2 = client("wafv2") wafv2.put_logging_configuration(LoggingConfiguration={ 'ResourceArn': '', 'LogDestinationConfigs': [''] })


### Possible Solution

Add the required permissions to the error message

### Additional Information/Context

_No response_

### SDK version used

1.34.29

### Environment details (OS name and version, etc.)

Linux Kernal: 6.8.5-arch1-1
LumaC0 commented 2 months ago

This link: https://docs.aws.amazon.com/waf/latest/developerguide/logging-s3.html#logging-s3-permissions says exactly what's needed. I'm mostly concerned with the error message.

github-actions[bot] commented 2 months ago

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.