Feature Request: Add Policy Template for CloudWatch Log access useful for Express State MachinesΒ #1610
Description
Description:
Now that SAM has support for Step Functions it would be great to have a Policy Template for granting access to Cloud Watch Logs for a Express State Machine.
Steps to reproduce the issue:
Here is an example State Machine with the added the Policy for the Cloud Watch Logs:
MyStateMachine:
Type: AWS::Serverless::StateMachine
Properties:
Type: EXPRESS
Logging:
Destinations:
- CloudWatchLogsLogGroup:
LogGroupArn: !GetAtt MyLogGroup.Arn
IncludeExecutionData: true
Level: ALL
DefinitionUri: statemachine/my_state_machine.asl.json
Policies:
- LambdaInvokePolicy:
FunctionName: !Ref MyLambda
- Statement:
- Sid: GeneralCloudWatchLogPolicy
Effect: Allow
Action:
- logs:CreateLogDelivery
- logs:CreateLogGroup
- logs:DeleteLogDelivery
- logs:DescribeResourcePolicies
- logs:GetLogDelivery
- logs:ListLogDeliveries
- logs:PutResourcePolicy
- logs:UpdateLogDelivery
Resource:
# These actions do not support resource-level permissions.
# Policies granting access must specify "*" in the resource element.
- "*"
- Statement:
- Sid: SpecificCloudWatchLogPolicy
Effect: Allow
Action:
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
Resource:
# AWS::Logs::LogGroup.Arn ends with ":*" so it matches:
# - log-group (required by logs:CreateLogStream, logs:DescribeLogGroups, and logs:DescribeLogStreams)
# - log-stream (required by logs:PutLogEvents)
- !GetAtt MyLogGroup.Arn
I had to added the two "- Statement" sections in policy to allow the State Machine to talk to my Log Group. It would reduce a lot of typing and changes for errors if these were in a Policy Template. It would reduce that down to be similar to the LambdaInvokePolicy I have in the example. Since I had to do 2 separate statements would this need to be 2 Policy Templates?