logs: Support Resource policies #5343
Description
Reproduction Steps
const cloudWatchLogGroup = new logs.LogGroup(this, 'ElasticSearchLogGroup', {
retention: logs.RetentionDays.THREE_MONTHS,
});
cloudWatchLogGroup.grantWrite(new iam.ServicePrincipal('es.amazonaws.com')).assertSuccess();
Also fails with the resource policy that I need.
const cloudWatchLogGroup = new logs.LogGroup(this, 'ElasticSearchLogGroup', {
retention: logs.RetentionDays.THREE_MONTHS,
});
cloudWatchLogGroup
.grant(
new iam.ServicePrincipal('es.amazonaws.com'),
'logs:PutLogEvents',
'logs:PutLogEventsBatch',
'logs:CreateLogStream'
)
.assertSuccess();
Error Log
Error: Permissions for 'ServicePrincipal(es.amazonaws.com)' to call 'logs:CreateLogStream,logs:PutLogEvents' on '${Token[TOKEN.507]}' could not be added on either identity or resource policy.
Error: Permissions for 'ServicePrincipal(es.amazonaws.com)' to call 'logs:PutLogEvents,logs:PutLogEventsBatch,logs:CreateLogStream' on '${Token[TOKEN.507]}' could not be added on either identity or resource policy.
Environment
- CLI Version :1.18.0
- Framework Version:1.18.0
- OS :macOS
- Language :TypeScript
Other
This is 🐛 Bug Report