Closed Sparticuz closed 3 years ago
It looks like I had the wrong resource in the permissions policy for cwl. The following is working for me
# This allows CloudWatch Logs to push data to Kinesis Firehose, will need !GetAtt CloudwatchLogsToFirehoseRole.Arn later
CloudwatchLogsToFirehoseRole:
Type: 'AWS::IAM::Role'
Properties:
Description: 'This is the role to attach your Log Group subscriptions to.'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- !Join
- .
- - logs
- !Ref 'AWS::Region'
- amazonaws.com
Action: 'sts:AssumeRole'
# This is the policy to attach the role
PermissionsPolicyForCWL:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: PermissionsPolicyForCWL
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'firehose:*'
Resource:
- !GetAtt KinesisFirehoseDeliveryStream.Arn
Roles:
- !Ref CloudwatchLogsToFirehoseRole
You're not the only person to get bit by this, perhaps another plugin, like serverless-plugin-logs-destination
or something would be a nice way to package up some of these concerns. In general these things are deployed in separate accounts and therefore separate stacks/service, hence separate plugins would be the way I'd go about it.
Following the steps here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SubscriptionFilters.html#FirehoseExample steps, 9, 10, and 11. I ended up with the following.
I'm not able to get it to forward the messages from CWL to Kinesis firehose though. Am I missing something?