(synthetics): canary permissions for cloudwatch logging are malformed #18910
Description
What is the problem?
When creating a canary using @aws-cdk/aws-synthetics-alpha version 2.10.0-alpha.0 and using the default role creation, the permissions allow the canary to run but it doesn't create logs in CloudWatch. I've traced this to the policy that is created around logging, which is generated as follows:
{
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:::*",
"Effect": "Allow"
}
The Resource element is missing a region. It can be rectified by adding a more specific policy statement to the cdk code e.g.
canary.role.addToPrincipalPolicy(
new PolicyStatement({
resources: [`arn:aws:logs:eu-west-1:${account ?? ''}:*`],
actions: ['logs:CreateLogStream', 'logs:CreateLogGroup', 'logs:PutLogEvents'],
})
);
Reproduction Steps
const canary = new Canary(this, id, {
canaryName: 'Canary',
schedule: Schedule.rate(Duration.minutes(1)),
test: Test.custom({
code: synthetics.Code.fromAsset(path.join(__dirname, 'canary')),
handler: 'index.handler',
}),
runtime: Runtime.SYNTHETICS_NODEJS_PUPPETEER_3_3,
});
What did you expect to happen?
Canary can create and write to CloudWatch logs with default role permissions
What actually happened?
Canary cannot create or write to CloudWatch logs with default role permissions
CDK CLI Version
2.10.0 (build e5b301f)
Framework Version
No response
Node.js Version
v14.15.5
OS
Mac OS / CodeBuild (same results locally and on CI)
Language
Typescript
Language Version
Typescript (4.2.4)
Other information
No response