You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fluent bit logs show error AccessDeniedException because it tries to create a log group that it is not allowed / is not configured:
time="2024-06-13T18:48:52Z" level=error msg="AccessDeniedException: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/fluentbit-task-role/xxxxxxx is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:us-east-1:xxxxxxxxxxxx:log-group:fluent-bit-cloudwatch:log-stream: because no identity-based policy allows the logs:CreateLogGroup action\n\tstatus code: 400, request id: xxxxxxxx"
However, our output plugin setting is:
[OUTPUT]
Name cloudwatch_logs
Match *
region ca-central-1
log_group_name testname
log_stream_name teststream
auto_create_group false
Retry_Limit no_limits
Our configuration only uses the newer cloudwatch_logs plugin. We do not specify or use the cloudwatch plugin.
It seems that the cloudwatch plugin is being used for some reason as well, even though it is not being specified by us. It is using some config that specifies us-east-1 region and fluent-bit-cloudwatch log group, as shown in the logs. This then causes the denied exception error.
In regards to our specified cloudwatch_logs plugin - we are seeing logs written to the specified log group / log stream correctly.
Issue 2
As shown above in the output config, we set the Retry_Limit to no_limits.
[2024/06/13 19:30:50] [debug] [output:cloudwatch_logs:cloudwatch_logs.1] task_id=0 assigned to thread #0
It's not completely clear to me whether the task_id=0 reached retry-attempts limit 1/1 is referencing cloudwatch_logs plugin. If so, then why is it not respecting our Retry_Limit no_limits setting? (We've also tried different settings, e.g. 5 instead of no_limits). Or is the task_id=0 reached retry-attempts limit 1/1 related to the previous error line that references cloudwatch.0, which means that it is also related to our mysterious cloudwatch plugin.
In addition to what your output .conf file is doing, aws-for-fluent-bit generates a default output plugin which is configured based on your task definition (see this sample JSON task-definition).
To get rid of the error message, you can move the output config you shared into your taskdef, in the logConfiguration section of your application container definition (see the above sample task definition).
That way you have a single correctly-configured OUTPUT plugin, rather than two of them trying to publish the same logs to different places.
Describe the question/issue
Fluent bit logs show error
AccessDeniedException
because it tries to create a log group that it is not allowed / is not configured:However, our output plugin setting is:
During fluent-bit startup we see following logs:
Our configuration only uses the newer
cloudwatch_logs
plugin. We do not specify or use thecloudwatch
plugin.It seems that the
cloudwatch
plugin is being used for some reason as well, even though it is not being specified by us. It is using some config that specifiesus-east-1
region andfluent-bit-cloudwatch
log group, as shown in the logs. This then causes the denied exception error.In regards to our specified
cloudwatch_logs
plugin - we are seeing logs written to the specified log group / log stream correctly.As shown above in the output config, we set the
Retry_Limit
tono_limits
.However, logs show:
Earlier startup logs show:
It's not completely clear to me whether the
task_id=0 reached retry-attempts limit 1/1
is referencingcloudwatch_logs
plugin. If so, then why is it not respecting ourRetry_Limit no_limits
setting? (We've also tried different settings, e.g.5
instead ofno_limits
). Or is thetask_id=0 reached retry-attempts limit 1/1
related to the previous error line that referencescloudwatch.0
, which means that it is also related to our mysteriouscloudwatch
plugin.Configuration
ECS Config:
Fluent Bit Log Output
See above.
Fluent Bit Version Info
Container:
aws-for-fluent-bit:init-latest
Fluent-bit version: Fluent Bit v1.9.10
Cluster Details
Application Details
Steps to reproduce issue
Related Issues
The text was updated successfully, but these errors were encountered: