- Newest
- Most votes
- Most comments
It looks like the console is trying to describe all log groups but you have restricted the Describe* actions to a specific log group. In most cases, AWS Console will describe all resources and this is required for Console to function. Add an additional statement in to your policy to allow Console to describe all the log groups.
Example Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:Get*",
"logs:List*",
"logs:Describe*",
"logs:StartQuery",
"logs:StopQuery",
"logs:TestMetricFilter",
"logs:FilterLogEvents",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*"
],
"Resource": "arn:aws:logs:us-east-1:ACCOUNT_ID:log-group:/aws/sagemaker/TrainingJobs:log-stream:*"
},
{
"Sid": "DescribeLogGroups",
"Effect": "Allow",
"Action": "logs:DescribeLogGroups",
"Resource": "arn:aws:logs:us-east-1:ACCOUNT_ID:log-group::log-stream:"
}
]
}
Above policy won't allow the user to access any logs streams for unwanted log groups. It will only allow AWS Console to list all log groups. The user will be allowed to access only the log streams for /aws/sagemaker/TrainingJobs log group.
Hi Renjith. Thank you very much for your answer. This worked for us! One other question. Is it possible to restrict down to a specific log stream within that log group? Essentially what happens is, mlops1 has a training job in SageMaker Studio and accesses the CloudWatch log for that training job by clicking on that option in SageMaker Studio (which then diverts mlops1 to that log stream in the AWS console). From there, mlops1 can access the log stream but then can also go up a level to access all log streams within that log group. Hopefully that makes sense. Looking forward to hearing your thoughts on that! Thanks again.
Relevant content
- Accepted Answerasked 8 months ago
- Accepted Answerasked 4 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 9 months ago
Hello Renjith. Hope you are doing well. Just wanted to follow up on the possibility of restricting access to log streams with the log group. Do you know if that is possible? So far, we have not figured out a way of successfully doing this. Thank you very much.