By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Classic Load Balancer log - AccessDenied

0

Recently created EKS cluster, letting eksctl create the necessary resources. The cluster is using Istio 1.4.3 so I am expecting the classic load balancer to be utilized. I am trying to troubleshoot what is happening with incoming http requests to the classic load balancer (used via istio-ingressgateway Service type:LoadBalancer instance), I followed the instructions at https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html.
and via the EC2 Console's "Load Balancer" -> instance -> Description's attribution section, I enabled the use of a new S3 bucket for the ELB log. So the creation of policies was done by this enabling, the test log showed up in the expected path within the bucket. I'm seeing the expected ELB log files showing up in the S3 bucket in the documented folder structure. The userid has the associated role policy arn:aws:iam::aws:policy/aws-service-role/AWSElasticLoadBalancingServiceRolePolicy, the IAM permissions tab shows the EC2 service as being linked to this policy. so I'm assuming (dangerous, right?) that the ELB instances are authorized to (access level: List, write) write messages to the S3 log files. But

My question is: subsequent http requests directed at the ELB's public IP address don't show in the log, what shows up is:

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>9492B44E9C24B9E1</RequestId>
<HostId>
FIlVp2wpilOs1tUq4WPYb9SPjjysP2mrwODVT3IrYg9tFj0YzXpiMbiXJjvPmaXe+revD6YnMp0=
</HostId>
</Error>

I am wondering what this indicates? Other than obviously some sort of issue.... Ie. root case, needed correction. MTIA for any insights, suggestions. I'm sure I'm leaving out of this post some info that might be useful, trying to keep my posts shorter (pun: balancing act...)

Edited by: SteveHespelt on Apr 29, 2020 7:27 AM

asked 5 years ago401 views
1 Answer
0

Solved. Oh boy, how do I wipe this much egg off my face?

https://forums.aws.amazon.com/message.jspa?messageID=776189 - my 'issue' is how I was trying to view the log. In the S3 management console, I was clicking on the "Object URL" link, assuming that since I was logged in & the owner of said logs, I'd be able to view the log file instance.
The 2017 post pointed out the error of my thinking. In the "Overview" panel of the log file instance (in the same S3 Console UI) using the "Download" the log file shows expected log messages.

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions