I would be grateful if someone could help me troubleshoot either incorrectly documented or out-of-date syntax on this:
aws logs put-resource-policy --policy-in-json exampleResourcePolicy.json
from this AWS Guide to enable IoT Analytics to send logs to CloudWatch Logs.
I executed steps 1 & 2 of the Guide successfully (I believe) and step 3 asks me to execute said line above with the following exampleResourcePolicy.json :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "iotanalytics.amazonaws.com"
},
"Action": "logs:PutLogEvents",
"Resource": "*",
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:iotanalytics:us-east-1:123456789012:*/*"
},
"StringEquals":{
"aws:SourceAccount":"123456789012"
}
}
]
}
Actions I took:
- read the syntax for cli v2: aws logs put-resource-policy
- substituted
--policy-in-json for --policyDocument
- added the required
--policy-name with a value
- wrapped the Principal Service in square brackets like the example in --policy-document of put-resource-policy
and now I receive:
$ aws logs put-resource-policy --policy-name iotAnalytics --policy-document iot_analytics_logging_resource_policy.json
An error occurred (InvalidParameterException) when calling the PutResourcePolicy operation: Error occurred while parsing accessPolicy. Please check if the accessPolicy has been constructed correctly using IAM grammar.
So I:
- double-checked the results for steps 1 & 2
- used IAM Policy Editor - Visual - to recreate policy conditions, observe the json, compare with mine above.
- In the Visual Editor I added manually added "Principal" at the level shown above because the configurator wouldn't let me otherwise, and received error "Unsupported Principal: The policy type IDENTITY_POLICY does not support the Principal element. Remove the Principal element."
Should I try this instead:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "logs:PutLogEvents",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalServiceName": "iotanalytics.amazonaws.com",
"aws:SourceAccount": "MYACCOUNT"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:iotanalytics:MYREGION:MYACCOUNT:*/*"
}
}
}
]
}
with MYREGION and MYACCOUNT valid, of course, and only redacted here for security.
Or should I do something else entirely?
Thanks in advance!
UPDATE 7/27: This was purely a CLI syntax issue where I needed to supply the json either
in a file with a file:// prefix: --policy-document file://policy.json
or inline with single quotes: --policy-document '{ INSERT_JSON_HERE }'
as shown in this IAM Documentation Example.
AWS OFFICIALUpdated a month ago
@Greg_B, thanks for your time, fast and exampled answer! Unfortunately, this still failed with "...InvalidParameterException...while parsing accessPolicy..." that I first mentioned. The solve was changing my cli syntax as noted in the UPDATE at the bottom of my question. Could you also raise a ticket to update the IoT Analytics Guide with the correct syntax? ie.
aws logs put-resource-policy --policy-name INSERTNAME --policy-document file://policy.json