AWS Step Functions の ステートマシン の ログを出力するRole
ログ出力無しの時は、Roleを指定しない場合に、自動で作られるRoleは以下
利用しているfunctionの実行権限(lambda:InvokeFunction)が「Resource」がどんどん追加されていく
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:us-west-2:123456789012:function:startTask",
"arn:aws:lambda:us-west-2:123456789012:function:startTask:*",
"arn:aws:lambda:us-west-2:123456789012:function:createAthenaTable",
"arn:aws:lambda:us-west-2:123456789012:function:createAthenaTable:*",
],
"Effect": "Allow"
}
]
}
同じようにlog-groupに関しても下記のように「Resource」がどんどん追加されていく状況になります。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-west-2:123456789012:log-group:/aws/vendedlogs/states/startTask-Logs:log-stream:*",
"arn:aws:logs:us-west-2:123456789012:log-group:/aws/vendedlogs/states/createAthenaTable-Logs:log-stream:*"
]
}
]
}
CloudWatch LogsのResource based policyにはサイズ上限があり、SAMによりこの上限を超える変更をしようとする場合に発生します。
Resource based policyを手動で更新し、「Resource」の範囲を緩くする
Resource: "*"としている
StateMachineRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "role-state-machine"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: states.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: !Sub "state-machine-logs-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- lambda:InvokeFunction
Resource: "*"
- Effect: Allow
Action:
- logs:CreateLogDelivery
- logs:CreateLogStream
- logs:GetLogDelivery
- logs:UpdateLogDelivery
- logs:DeleteLogDelivery
- logs:ListLogDeliveries
- logs:PutLogEvents
- logs:PutResourcePolicy
- logs:DescribeResourcePolicies
- logs:DescribeLogGroups
Resource: "*"
ManagedPolicyを使うても・・・
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaRole
SAMテンプレート例
Resources:
# -------------------------
# IAM Role
# -------------------------
StateMachineRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${Service}-${Stage}-role-state-machine"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: states.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaRole
Policies:
- PolicyName: !Sub "${Service}-${Stage}-state-machine-logs-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- logs:CreateLogDelivery
- logs:CreateLogStream
- logs:GetLogDelivery
- logs:UpdateLogDelivery
- logs:DeleteLogDelivery
- logs:ListLogDeliveries
- logs:PutLogEvents
- logs:PutResourcePolicy
- logs:DescribeResourcePolicies
- logs:DescribeLogGroups
Resource: "*"
# -------------------------
# State Machines リソース
# -------------------------
emrExecution:
Type: AWS::Serverless::StateMachine
Properties:
Name: !Sub "${Service}-${Stage}-emrExecution"
Role: !GetAtt StateMachineRole.Arn
Logging:
Level: ALL
IncludeExecutionData: True
Destinations:
- CloudWatchLogsLogGroup:
LogGroupArn: !GetAtt emrExecutionLogGroup.Arn
〜〜省略〜〜
# -------------------------
# LogGroup リソース
# -------------------------
emrExecutionLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub "/aws/vendedlogs/states/${Service}-${Stage}-state-machine-Logs" # ロググループ名
リンク