I have 2 AWS accounts.
- Account A: EC2 instances with awslogs client from amazon
- Account B: Centralized logging account
I want to send logs from the EC2 instance with awslogs client (in account A) from one account to CloudWatch Logs in an another account (account B).
It works fine by creating an IAM user in Account B and setting up the AWS credential key in awscli.conf, but I do not want keys to be hardcoded, so I'm trying to assume role as follows:
IAM Role in Account B (the CloudWatch account), I created a role name CloudWatchCrossRole:
Inline policy (allow this role to write logs to CloudWatch Logs):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Trust policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_A:role/CLoudWatchInstanceProfile"
},
"Action": "sts:AssumeRole"
}
]
}
In Account A, I start an EC2 instance with the profile CLoudWatchInstanceProfile that looks as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_B:role/CloudWatchCrossRole"
}
]
}
No joy, the logs are pushed to ACCOUNT_A instead of ACCOUNT_B. Can anyone give me hint whether AssumeRole on CloudWatch Logs is possible or if it is mandatory to create an IAM user and hardcode the credentials in awscli.conf?
