search

fluent-plugins-nursery / fluent-plugin-cloudwatch-logs

CloudWatch Logs Plugin for Fluentd
MIT License
201 stars 141 forks source link

IAM user policy in README.md requires too many permissions #183

Closed eryi closed 4 years ago

eryi commented 4 years ago

Problem

IAM user in readme.md requires too many permissions

Steps to replicate

Currently, README.md recommends creating a IAM user with the following policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:*",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:logs:us-east-1:*:*",
        "arn:aws:s3:::*"
      ]
    }
  ]
}

Expected Behavior or What you need to ask

I am not sure why s3:GetObject is required. Also, the user should not be allowed to delete logs. A more appropriate policy might be

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Source: https://docs.docker.com/config/containers/logging/awslogs/#credentials

TBBle commented 4 years ago

The correct permissions can probably be derived from the source. For example, _out_cloudwatchlogs.rb makes the following calls to the @log object:

So it probably needs only the following permissions, per the CloudWatch Permissions Reference:

I've tested with the above set using the incubator/fluentd-cloudwatch Helm chart which uses an older version of this plugin, and it seems to be working so far. I haven't tried restricting the Resource or trimming the permissions.

_in_cloudwatchlogs.rb makes the following calls to @logs:

so presumably needs these permissions:

I don't know what the resource limitations need to be (I guess it depends on your chosen log group?) so it'd be nice to have this all well-documented and clear, and synced with the code.