1. Answers
  2. Granting permissions to create log streams and put log events

How do I grant permissions to create log streams and put log events?

In this example, we will create an AWS IAM policy that grants permissions to create CloudWatch log streams and put log events. We will then attach this policy to an IAM role. This setup is useful for applications or services that need to write logs to CloudWatch.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an IAM policy that allows creating log streams and putting log events
const logPolicy = new aws.iam.Policy("logPolicy", {
    description: "Policy to allow creating log streams and putting log events",
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Action: [
                    "logs:CreateLogStream",
                    "logs:PutLogEvents"
                ],
                Resource: "*"
            }
        ]
    })
});

// Create an IAM role
const logRole = new aws.iam.Role("logRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Effect: "Allow",
                Principal: {
                    Service: "ec2.amazonaws.com"
                },
                Action: "sts:AssumeRole"
            }
        ]
    })
});

// Attach the policy to the role
const logRolePolicyAttachment = new aws.iam.RolePolicyAttachment("logRolePolicyAttachment", {
    role: logRole.name,
    policyArn: logPolicy.arn
});

// Export the role ARN
export const roleArn = logRole.arn;

Key Points:

  • IAM Policy: Defines permissions to create log streams and put log events.
  • IAM Role: Allows EC2 instances to assume the role.
  • Role Policy Attachment: Attaches the policy to the role.

Summary:

We created an IAM policy that grants permissions for creating log streams and putting log events in CloudWatch. We then created an IAM role and attached the policy to this role. This setup allows an EC2 instance to assume the role and write logs to CloudWatch.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up