Closed eryi closed 4 years ago
The correct permissions can probably be derived from the source. For example, _out_cloudwatchlogs.rb makes the following calls to the @log
object:
So it probably needs only the following permissions, per the CloudWatch Permissions Reference:
I've tested with the above set using the incubator/fluentd-cloudwatch Helm chart which uses an older version of this plugin, and it seems to be working so far. I haven't tried restricting the Resource or trimming the permissions.
_in_cloudwatchlogs.rb makes the following calls to @logs
:
so presumably needs these permissions:
I don't know what the resource limitations need to be (I guess it depends on your chosen log group?) so it'd be nice to have this all well-documented and clear, and synced with the code.
Problem
IAM user in readme.md requires too many permissions
Steps to replicate
Currently, README.md recommends creating a IAM user with the following policy
Expected Behavior or What you need to ask
I am not sure why
s3:GetObject
is required. Also, the user should not be allowed to delete logs. A more appropriate policy might beSource: https://docs.docker.com/config/containers/logging/awslogs/#credentials