Welcome to Software Development on Codidact!
Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.
When configuring load balancer access logs, what permission does the S3 bucket need?
When enabling access logging for an AWS load balancer, I get the following error:
Access Denied for bucket: test-bucket-access-logs. Please check S3bucket permission
test-bucket-access-logs is the name of the new S3 bucket that I created. How can I give it the proper permissions?
1 answer
The following users marked this post as Works for me:
| User | Comment | Date |
|---|---|---|
| philipp.classen | (no comment) | Jun 21, 2024 at 13:31 |
It needs the s3:PutObject permisson, but the Principal in the policy depends on the AWS region. For instance, in us-east-1, this should work (assuming it will log under s3://test-bucket-access-logs/AWSLogs/<account-name>/):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::127311923021:root"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-access-logs/*"
}
]
}
As said, the magic number 127311923021 is for us-east-1 and will differ if the load balancer is in a different region. The full list can be found here:
US East (N. Virginia) – 127311923021
US East (Ohio) – 033677994240
US West (N. California) – 027434742980
US West (Oregon) – 797873946194
Africa (Cape Town) – 098369216593
Asia Pacific (Hong Kong) – 754344448648
Asia Pacific (Jakarta) – 589379963580
Asia Pacific (Mumbai) – 718504428378
Asia Pacific (Osaka) – 383597477331
Asia Pacific (Seoul) – 600734575887
Asia Pacific (Singapore) – 114774131450
Asia Pacific (Sydney) – 783225319266
Asia Pacific (Tokyo) – 582318560864
Canada (Central) – 985666609251
Europe (Frankfurt) – 054676820928
Europe (Ireland) – 156460612806
Europe (London) – 652711504416
Europe (Milan) – 635631232127
Europe (Paris) – 009996457667
Europe (Stockholm) – 897822967062
Middle East (Bahrain) – 076674570225
South America (São Paulo) – 507241528517
If it is successfully configured, it should immediately put a test file called ELBAccessLogTestFile in that folder (in this example under s3://test-bucket-access-logs/AWSLogs/470602773899/ELBAccessLogTestFile).
Note that the magic numbers above apply only for historical regions; for newer ones that became available after August 2022), it again differs. According to the same documentation, it now looks like that:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "logdelivery.elasticloadbalancing.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/prefix/AWSLogs/aws-account-id/*"
}
]
}
0 comment threads
0 comment threads