AccessDeniedException [RSLVR-01605] Missing permission to log:* #4346
Comments
phcs93
added
bug
|
Hi @phcs93, The error you are seeing is coming from the service and not the SDK client. The SDK does not know about the roles and permissions you have attached to resources and doesnt have any discretion over changing them. I'm sure the route53 team has a valid reason to need you to permit all logs, but we can upstream this question to the service team on your behalf. In the spirit of full transparency I'll say that sometime it may take a long time to hear back from a service team unless its a high severity issue. Thanks, |
RanVaknin
added
service-api
|
Hey @RanVaknin, if you could ask them about this that would be great! I've been doing more testing on this problem and I found something a little odd. I noticed that, when I run the
The odd thing is, if I delete that log group, and manually create another log group with the same name, that log stream is still there. That doesn't happen if I use a different log group name. Also, with that log stream created in the log group, I am able to remove the permission to "logs:*" from the role and call So I assume there is something to do with that log stream, but I couldn't find anything about it online. |
Describe the bug
When trying to run route53resolver:CreateResolverQueryLogConfig, I get the error message:
AccessDeniedException [RSLVR-01605] Missing permission to log:*Expected Behavior
I don't think it should ask for permissions to "logs:*".
Isn't it too permissive?
It can lead to problems when trying to follow the least-privilege principle.
I will have a hard time trying to convince my security team to approve this.
Current Behavior
The following exception is thrown:
{ "errorType": "AccessDeniedException", "errorMessage": "[RSLVR-01605] Missing permission to log:* Trace Id: \"1-63ea6c69-72dba1d115a5667b40a202a4\"", "trace": [ "AccessDeniedException: [RSLVR-01605] Missing permission to log:* Trace Id: \"1-63ea6c69-72dba1d115a5667b40a202a4\"", " at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:52:27)", " at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)", " at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)", " at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14)", " at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)", " at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)", " at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10", " at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)", " at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12)", " at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)" ] }Reproduction Steps
Lambda code (nodejs 16.x):
My role policies:
Default lambda policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "arn:aws:logs:sa-east-1:############:*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:sa-east-1:############:log-group:/aws/lambda/*:*" ] } ] }Custom added policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "route53resolver:CreateResolverQueryLogConfig", "Resource": "*" }, { "Effect": "Allow", "Action": "logs:CreateLogDelivery", "Resource": "*" } ] }Possible Solution
The only way to make this work is adding permission to "logs:*" in your role policies:
{ "Effect": "Allow", "Action": "logs:*", "Resource": "*" }But I don't think this is ok.
Isn't this too permissive?
Additional Information/Context
No response
SDK version used
2.1310.0 (javascript)
Environment details (OS name and version, etc.)
AWS Lambda running Node.js 16.x
The text was updated successfully, but these errors were encountered: