Issue with pushing an EC2 instance's Docker container logs into CloudWatch
I have a working EC2 instance in free tier, with a responding java-based grpc server in a docker container inside the instance.
I'd like to send the logs of the container into the CloudWatch.
I created the suggested policy, the EC2 role, and the role is attached to the instance.
The container is started from the bash of the linux instance with this command:
docker run -d -p 9092:9092 -t <<my-container-name>> --log-driver=awslogs --log-opt awslogs-region=us-east-1 --log-opt awslogs-group="gRPC-POC" --log-opt awslogs-stream="gRPC-POC-log" --log-opt awslogs-create-group=true --log-opt awslogs-create-stream=true
I tried to run the container with different users, with different options of the log-driver, omitting parts and almost everything.
The policy I created to use the CloudWatch looks like this:\
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-east-1:<<my-account-number>>:log-group:*:*"
}
]
}
So far,no sign of the gathered logs in CloudWatch even if I create a log-group and/or log-stream or I don't.
Maybe I'm missing a step or a vital information somewhere?
Do You have any suggestions, please?
#EDIT
The command aws sts get-caller-identity gives this result:
It looks like the instance has the proper right, 'GrpcPocAccessLogs'.
- Newest
- Most votes
- Most comments
Hi,
The IAM policy is correct but something is amiss in the command you shared. Some observations / queries:
-
Is your container actually running after you issue the command? The above syntax does not throw any error but does not even start the container for me. You can confirm with 'docker ps' or 'docker ps -a'
-
By <<my-container-name>> in your command above do you mean to imply the name of the image to launch the container with. In that case provide the name of the image at the end of the command. Docker run command usage is:
docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
- awslogs-create-stream is not a valid log-opt parameter and returns "docker: Error response from daemon: unknown log opt 'awslogs-create-stream' for awslogs log driver." Checked this against the latest docker documentation and docker v20.10.17.
Try this command:
docker run -d -p 9092:9092 -t --log-driver=awslogs --log-opt awslogs-region=us-east-1 --log-opt awslogs-group="gRPC-POC" --log-opt awslogs-stream="gRPC-POC-log" --log-opt awslogs-create-group=true <<my-image-name>>
--Syd
Tanks a lot, @Syd :) Of course, it was the order of the options and the image name. You saved my day.
Have you checked out this Premium Support article - https://aws.amazon.com/premiumsupport/knowledge-center/cloudwatch-docker-container-logs-proxy/
Thanks, but why should I use a proxy to push the logs to CloudWatch, if the daemon does this itself? Except for adding "an additional layer of security between your Docker instances and internet-bound traffic" - but currently I have another goal: to establish the communication transporting the container logs to CloudWatch.
Relevant content
- asked 4 months ago
- asked 4 months ago
AWS OFFICIALUpdated 4 years ago- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
You can confirm whether the container is getting the role your intend to use, using this cli
aws sts get-caller-identityfrom within the containerI meant doing that from within the container (e.g.
docker exec -it <container_id> bash)