ptrhck commented on issue #18549:
URL: https://github.com/apache/airflow/issues/18549#issuecomment-1128823855
I am facing the very same issue on Airflow `2.2.2`
```
Failed to execute task An error occurred (AccessDeniedException) when
calling the CreateLogGroup operation: User:
arn:aws:sts::XXXXXXX:assumed-role/airflow-ecs-task-role-staging/airflow_logs_cloudwatch
is not authorized to perform: logs:CreateLogGroup on resource:
arn:aws:logs:eu-central-1:XXXXXXX:assumed:log-group:airflow-v2-staging-dags:log-stream:
because no identity-based policy allows the logs:CreateLogGroup action.
```
The Cloudwatch log group is already created using Cloudformation and the
policies accordingly:
```yaml
Resources:
DagsLogs:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub airflow-v2-${Stage}-dags
TaskRole:
Type: AWS::IAM::Role
Properties:
Policies:
- PolicyName: !Sub ${EnvironmentName}-logs-dags-${Stage}
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource:
- !GetAtt DagsLogs.Arn
```
The Airflow cofiguration variables are the following:
```yaml
Environment:
- Name: AIRFLOW_CONN_LOGS_CLOUDWATCH
Value: !Sub
'cloudwatch://cloudwatch?aws_account_id=XXXXXXX&role_arn=arn%3Aaws%3Aiam%3A%3A919107267526%3Arole%2Fairflow-ecs-task-role-${Stage}'
- Name: AIRFLOW__LOGGING__REMOTE_LOGGING
Value: 'true'
- Name: AIRFLOW__LOGGING__REMOTE_BASE_LOG_FOLDER
Value: !Sub
"cloudwatch://arn:aws:logs:eu-central-1:XXXXXXX:log-group:airflow-v2-${Stage}-dags"
- Name: AIRFLOW__LOGGING__REMOTE_LOG_CONN_ID
Value: logs_cloudwatch
```
Is this really a policy issue?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
