I setup the IAM policies required for function beat, I exported the necessary AWS secrets, and I am sure that my AWS user is allowed to create S3 buckets.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"fnbcloudwatch": {
"Properties": {
"Code": {
"S3Bucket": "trial",
"S3Key": "functionbeat-deployment/cloudwatch/Ug_VCgMt7ClEBnWafjcN_456WRmaP-CWEjc3fjwnOdk/functionbeat.zip"
},
"Description": "lambda function for cloudwatch logs",
"Environment": {
"Variables": {
"BEAT_STRICT_PERMS": "false",
"ENABLED_FUNCTIONS": "cloudwatch"
}
},
"FunctionName": "cloudwatch",
"Handler": "functionbeat-aws",
"MemorySize": 128,
"ReservedConcurrentExecutions": 5,
"Role": {
"Fn::GetAtt": [
"fnbcloudwatchIAMRoleLambdaExecution",
"Arn"
]
},
"Runtime": "go1.x",
"Timeout": 3
},
"Type": "AWS::Lambda::Function"
},
"fnbcloudwatchIAMRoleLambdaExecution": {
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::Join": [
"",
[
"lambda.",
{
"Ref": "AWS::URLSuffix"
}
]
]
}
}
}
]
},
"Path": "/",
"Policies": [
{
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/cloudwatch:*"
}
]
}
]
},
"PolicyName": {
"Fn::Join": [
"-",
[
"fnb",
"lambda",
"cloudwatch"
]
]
}
}
],
"RoleName": "functionbeat-lambda-cloudwatch"
},
"Type": "AWS::IAM::Role"
},
"fnbcloudwatchLogGroup": {
"Properties": {
"LogGroupName": "/aws/lambda/cloudwatch"
},
"Type": "AWS::Logs::LogGroup"
},
"fnbcloudwatchPermission0": {
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"fnbcloudwatch",
"Arn"
]
},
"Principal": {
"Fn::Join": [
"",
[
"logs.",
{
"Ref": "AWS::Region"
},
".",
{
"Ref": "AWS::URLSuffix"
}
]
]
},
"SourceArn": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":log-group:",
"/ecs/process",
":*"
]
]
}
},
"Type": "AWS::Lambda::Permission"
},
"fnbcloudwatchSFecsprocess": {
"Properties": {
"DestinationArn": {
"Fn::GetAtt": [
"fnbcloudwatch",
"Arn"
]
},
"FilterPattern": "",
"LogGroupName": "/ecs/process"
},
"Type": "AWS::Logs::SubscriptionFilter"
}
}
}
2020-01-31T17:19:44.805+0530 DEBUG [aws.executor] executor/executor.go:53 The executor is executing '6' operations for converging state
2020-01-31T17:19:44.806+0530 DEBUG [aws] aws/op_ensure_bucket.go:33 Verifying presence of S3 bucket: trial
2020-01-31T17:19:45.663+0530 DEBUG [aws.executor] executor/executor.go:76 The executor is rolling back previous execution, '0' operations to rollback
2020-01-31T17:19:45.663+0530 DEBUG [aws.executor] executor/executor.go:89 The rollback is successful
2020-01-31T17:19:45.663+0530 DEBUG [aws] aws/cli_manager.go:117 Deploy finish for function 'cloudwatch'
Function: cloudwatch, could not deploy, error: bucket 'trial' already exist and you don't have permission to access it
2020-01-31T17:19:45.663+0530 DEBUG [cli-handler] cmd/cli_handler.go:64 Deploy execution ended
Fail to deploy 1 function(s)
Can access aws s3 as you can see below:
aws s3 ls
2019-12-09 20:21:01 imapserver
2020-01-23 18:04:47 snapshot-es-manual
This is my functionbeat config:
functionbeat.provider.aws.functions:
# Define the list of function availables, each function required to have a unique name.
# Create a function that accepts events coming from cloudwatchlogs.
- name: cloudwatch
enabled: true
type: cloudwatch_logs
- log_group_name: /ecs/process