ablog

不器用で落着きのない技術者のメモ

クロスアカウントで Lambda から CloudWatch Logs にアクセスする

AWS

アカウントA(123456789012)の Lambda からアカウントB(234567890123)の CloudWatch Logs の API を実行してみた。

実行結果

  • 戻り値
{
  "events": [
    {
      "timestamp": 1543366128635,
      "message": "[940dea18-b6de-4851-a4b1-34cd0ed38541] BENCHMARK : Running Start Crawl for Crawler workshop-sh10json",
      "ingestionTime": 1543366139237
    },
    {
      "timestamp": 1543366169930,
      "message": "[940dea18-b6de-4851-a4b1-34cd0ed38541] BENCHMARK : Classification complete, writing results to database default",
      "ingestionTime": 1543366196029
    },
  • ログ出力
START RequestId: 07ea4b0c-3a29-4649-b21d-40ce9412a70c Version: $LATEST
END RequestId: 07ea4b0c-3a29-4649-b21d-40ce9412a70c
REPORT RequestId: 07ea4b0c-3a29-4649-b21d-40ce9412a70c	Duration: 1998.25 ms	Billed Duration: 2000 ms	Memory Size: 128 MB	Max Memory Used: 78 MB	Init Duration: 257.63 ms

アカウントA

arn:aws:iam::123456789012:role/LambdaRoleForCrossAccount
  • Permissions policies
    • AWSLambdaExecute(AWS managed)
    • AssumeRolePolicy(Customer managed)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Assume Role Policy",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"
        }
    ]
}
arn:aws:lambda:ap-northeast-1:123456789012:function:CWLFunction
  • Runtime: Pyhon 3.7
  • Execution role: LambdaRoleForCrossAccount
import boto3

def lambda_handler(context, event):

    sts_connection = boto3.client('sts')
    acct_b = sts_connection.assume_role(
        RoleArn="arn:aws:iam::234567890123:role/CWLRoleForCrossAccount",
        RoleSessionName="cross_acct_lambda"
    )
    
    ACCESS_KEY = acct_b['Credentials']['AccessKeyId']
    SECRET_KEY = acct_b['Credentials']['SecretAccessKey']
    SESSION_TOKEN = acct_b['Credentials']['SessionToken']

    client = boto3.client(
        'logs',
        aws_access_key_id=ACCESS_KEY,
        aws_secret_access_key=SECRET_KEY,
        aws_session_token=SESSION_TOKEN,
    )

    response = client.get_log_events(
        logGroupName='/aws-glue/crawlers',
        logStreamName='workshop-sh10json'
    )

    return response

アカウントB

arn:aws:iam::234567890123:role/CWLRoleForCrossAccount
  • Permissions policies
    • CloudWatchLogsReadOnlyAccess(AWS managed)
  • Trust relationships
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/LambdaRoleForCrossAccount"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

参考