AWS CloudWatch 规则 returns FailedInvocation with AWS batch as Target
AWS CloudWatch Rule returns FailedInvocation with AWS batch as Target
您好,我已经安排了一个 Cloudwatch rule,以便每周三 14.15 GTM 运行 将 AWS Batch[=] 作为目标51=],它总是 returns FailedInvocation。我从相关指标中看到 FailedInvocation 事件
但是没有关于错误的日志,我无法理解这个问题。
我已经学习了这个教程:https://docs.aws.amazon.com/batch/latest/userguide/batch-cwe-target.html
我被困在这里几个小时有什么建议吗?
配置
AWS 批处理目标配置为:
- 作业队列= arn:..
- 工作定义 = arn:...
- 职位名称 = 姓名
与目标关联的角色具有以下策略:
arn:aws:iam::aws:policy/service-role/AWSBatchServiceEventTargetRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"batch:SubmitJob"
],
"Resource": "*"
}
]
}
arn:aws:iam::216314997889:role/awsInvokeActionOnEc2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:Describe*",
"ec2:Describe*",
"ec2:RebootInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*"
}
]
}
和信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
启用 CloudTrail 以在其日志中找出 FailedInvocation 原因。我同意通过 CloudTrail 找出失败原因是很糟糕的。但就目前而言,仅此而已。
遇到同样的问题并发现 Input
如果您正在寻找调用失败的原因,请参阅其他答案,除非您尝试实施 AWS::Events::Rule 并且看到调用失败。以下答案可能会解决问题,并且无需查找这些 non-existent 日志。
Cloudwatch failedinvocation error no logs available
如果有人遇到来自针对 Cloudwatch 日志组的事件规则的 FailedInvocations,这很可能是由于缺少允许 AWS 事件服务创建 Cloudwatch 日志的“Cloudwatch 日志资源策略”。如果您通过控制台创建规则,应该会自动提供一个合适的规则。您可以检查是否已配置:
aws logs describe-resource-policies
如果您已经配置了适当的 Cloudwatch 日志资源策略,您应该会看到如下内容:
{
"resourcePolicies": [
{
"policyName": "TrustEventsToStoreLogEvents",
"policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"TrustEventsToStoreLogEvent\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"events.amazonaws.com\",\"delivery.logs.amazonaws.com\"]},\"Action\":[\"logs:PutLogEvents\",\"logs:CreateLogStream\"],\"Resource\":\"arn:aws:logs:eu-central-1:1234567890:log-group:/aws/events/*:*\"}]}",
"lastUpdatedTime": 1641611871623
}
]
}
但是,如果您使用 Terraform(甚至可能是 Cloudformation)配置了规则,那么这可能不会自动配置。
这是一个示例 Terraform 摘录,用于提供与通过控制台自动配置的策略相匹配的策略:
data "aws_iam_policy_document" "events_delivery_logs_write_logs" {
statement {
sid = "TrustEventsToStoreLogEvent"
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
resources = ["arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/events/*:*"]
principals {
identifiers = [
"events.amazonaws.com",
"delivery.logs.amazonaws.com"
]
type = "Service"
}
}
}
resource "aws_cloudwatch_log_resource_policy" "events_delivery_logs_write_logs" {
policy_document = data.aws_iam_policy_document.events_delivery_logs_write_logs.json
# This is the standard name this is utilized when creating a CW event rule -> CW log group through the console
policy_name = "TrustEventsToStoreLogEvents"
}
基础设施资源:
您好,我已经安排了一个 Cloudwatch rule,以便每周三 14.15 GTM 运行 将 AWS Batch[=] 作为目标51=],它总是 returns FailedInvocation。我从相关指标中看到 FailedInvocation 事件
但是没有关于错误的日志,我无法理解这个问题。
我已经学习了这个教程:https://docs.aws.amazon.com/batch/latest/userguide/batch-cwe-target.html 我被困在这里几个小时有什么建议吗?
配置
AWS 批处理目标配置为:
- 作业队列= arn:..
- 工作定义 = arn:...
- 职位名称 = 姓名
与目标关联的角色具有以下策略:
arn:aws:iam::aws:policy/service-role/AWSBatchServiceEventTargetRole
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "batch:SubmitJob" ], "Resource": "*" } ] }arn:aws:iam::216314997889:role/awsInvokeActionOnEc2
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:Describe*", "ec2:Describe*", "ec2:RebootInstances", "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": "*" } ] }和信任关系
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
启用 CloudTrail 以在其日志中找出 FailedInvocation 原因。我同意通过 CloudTrail 找出失败原因是很糟糕的。但就目前而言,仅此而已。 遇到同样的问题并发现 Input
如果您正在寻找调用失败的原因,请参阅其他答案,除非您尝试实施 AWS::Events::Rule 并且看到调用失败。以下答案可能会解决问题,并且无需查找这些 non-existent 日志。
Cloudwatch failedinvocation error no logs available
如果有人遇到来自针对 Cloudwatch 日志组的事件规则的 FailedInvocations,这很可能是由于缺少允许 AWS 事件服务创建 Cloudwatch 日志的“Cloudwatch 日志资源策略”。如果您通过控制台创建规则,应该会自动提供一个合适的规则。您可以检查是否已配置:
aws logs describe-resource-policies
如果您已经配置了适当的 Cloudwatch 日志资源策略,您应该会看到如下内容:
{
"resourcePolicies": [
{
"policyName": "TrustEventsToStoreLogEvents",
"policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"TrustEventsToStoreLogEvent\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"events.amazonaws.com\",\"delivery.logs.amazonaws.com\"]},\"Action\":[\"logs:PutLogEvents\",\"logs:CreateLogStream\"],\"Resource\":\"arn:aws:logs:eu-central-1:1234567890:log-group:/aws/events/*:*\"}]}",
"lastUpdatedTime": 1641611871623
}
]
}
但是,如果您使用 Terraform(甚至可能是 Cloudformation)配置了规则,那么这可能不会自动配置。
这是一个示例 Terraform 摘录,用于提供与通过控制台自动配置的策略相匹配的策略:
data "aws_iam_policy_document" "events_delivery_logs_write_logs" {
statement {
sid = "TrustEventsToStoreLogEvent"
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents",
]
resources = ["arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/events/*:*"]
principals {
identifiers = [
"events.amazonaws.com",
"delivery.logs.amazonaws.com"
]
type = "Service"
}
}
}
resource "aws_cloudwatch_log_resource_policy" "events_delivery_logs_write_logs" {
policy_document = data.aws_iam_policy_document.events_delivery_logs_write_logs.json
# This is the standard name this is utilized when creating a CW event rule -> CW log group through the console
policy_name = "TrustEventsToStoreLogEvents"
}
基础设施资源: