CloudWatchLogWriter not reporting AccessDenied in sendBatch()

[kdgregory]

If the log-writer does not have logs:PutLogEvents it should report the error. However, it's silently retrying the batch, which will eventually lose messages. It does operate as expected if there's an active Deny on this permission.

It looks like both CloudWatchFacadeImpl.transformException() and CloudWatchLogWriter.sendBatch() are doing the right thing, so unclear why this is happening.

Underlying exception:

Exception in thread "main" com.amazonaws.services.logs.model.AWSLogsException: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/Log4JAppenderTesting/XXXXXXXXXXXX-kdgregory is not authorized to perform: logs:PutLogEvents on resource: arn:aws:logs:us-east-1:XXXXXXXXXXXX:log-group:2828d147-c9a9-49b6-81ae-b710fdcecc07:log-stream:e9ec79d0-f068-460c-889b-30616dcae93e because no identity-based policy allows the logs:PutLogEvents action (Service: AWSLogs; Status Code: 400; Error Code: AccessDeniedException; Request ID: 504cb041-a4e8-4e81-a408-b3d3b9ec272d; Proxy: null)

[kdgregory]

This appears to be an issue with Logback: it doesn't report errors unless debugging is enabled. Both Log4J1 and Log4J2 report the error. I suspect that the reason I thought an active Deny was being reported was that I had debug enabled for that run.