Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloudwatch logging can not set retention #5605

Closed
matti opened this issue Aug 11, 2022 · 4 comments
Closed

cloudwatch logging can not set retention #5605

matti opened this issue Aug 11, 2022 · 4 comments
Labels
kind/feature New feature or request stale

Comments

@matti
Copy link
Contributor

matti commented Aug 11, 2022

Why do you want this feature?

First of all, I know this is not directly related to eksctl, but I still think that eksctl could make this smoother.

My nodes have:

iam:
  withAddonPolicies:
     cloudWatch: true

When I install https://github.com/aws/eks-charts/tree/master/stable/aws-for-fluent-bit chart there is a helm value to set cloudWatch.logRetentionDays: which is "never" by default. If I set this value in the chart, then the pods are crashing with:

time="2022-08-10T17:19:05Z" level=error msg="AccessDeniedException: User: arn:aws:sts::254324309357:assumed-role/eksctl-test-7-nodegroup-base-2-8-NodeInstanceRole-1TG07V2PQPOUS/i-00b9cd5b8155f8073 is not authorized to perform: logs:PutRetentionPolicy on resource: arn:aws:logs:eu-north-1:254324309357:log-group:/aws/eks/fluentbit-cloudwatch/logs:log-stream: because no identity-based policy allows the logs:PutRetentionPolicy action\n\tstatus code: 400, request id: df720515-e9ba-4ce1-adec-09f3fbd7145f"

as CloudWatchAgentServerPolicy doesn't have this, even if it can create the log group (!)

So, I tried to create a role and set it in chart, but this fails with is not authorized to perform: sts:AssumeRole on resource so now I don't know what to do next.

What feature/behavior/change do you want?

Something to make this smoother so that I could create short-lived ephemeral clusters that don't leave their logs after them with retentionpolicy Never.
@matti matti added the kind/feature New feature or request label Aug 11, 2022
@matti
Copy link
Contributor Author

matti commented Aug 15, 2022

aws/eks-charts#436

@matti
Copy link
Contributor Author

matti commented Aug 15, 2022
edited
Loading

workarounding with:

iam:
  withAddonPolicies:
    autoScaler: true
    imageBuilder: true
    ebs: true
    albIngress: true
    cloudWatch: true
    attachPolicy:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Action:
              - 'logs:PutRetentionPolicy'
            Resource: '*'

@johanaugustsandels johanaugustsandels mentioned this issue Aug 15, 2022
Closed
7 tasks
@github-actions
Copy link
Contributor

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the stale label Sep 15, 2022
@github-actions
Copy link
Contributor

This issue was closed because it has been stalled for 5 days with no activity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature New feature or request stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

allow cloudwatch to set retention johanaugustsandels/eksctl
1 participant
@matti