공식 문서대로 하면 안된다.
https://docs.datadoghq.com/logs/log_configuration/archives/?tab=awss3
물론 아마존이 잘 알려주긴 하는데...
안되는 부분은
권한 생성할 때
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DatadogUploadAndRehydrateLogArchives",
"Effect": "Allow",
"Action": ["s3:PutObject", "s3:GetObject"],
"Resource": [
"arn:aws:s3:::<MY_BUCKET_NAME_1_/_MY_OPTIONAL_BUCKET_PATH_1>/*",
"arn:aws:s3:::<MY_BUCKET_NAME_2_/_MY_OPTIONAL_BUCKET_PATH_2>/*"
]
},
{
"Sid": "DatadogRehydrateLogArchivesListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::<MY_BUCKET_NAME_1>",
"arn:aws:s3:::<MY_BUCKET_NAME_2>"
]
}
]
}이걸로 모자라다.
https://docs.aws.amazon.com/ko_kr/IAM/latest/UserGuide/reference_policies_elements_principal.html
모자란 항목은 Principal 이라고 보안 주체를 지정하는 것인데....
IAM에 DatadogIntegrationRole 추가 후..
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DatadogUploadAndRehydrateLogArchives",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::??:role/DatadogIntegrationRole",
"arn:aws:iam::??:root"
]
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<MY_BUCKET_NAME_1_/_MY_OPTIONAL_BUCKET_PATH_1>/*",
"arn:aws:s3:::<MY_BUCKET_NAME_2_/_MY_OPTIONAL_BUCKET_PATH_2>/*"
]
},
{
"Sid": "DatadogRehydrateLogArchivesListBucket",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::??:role/DatadogIntegrationRole",
"arn:aws:iam::??:root"
]
},
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::<MY_BUCKET_NAME_1>",
"arn:aws:s3:::<MY_BUCKET_NAME_2>"
]
}
]
}ListBucket action은 bucket 에 적용되는 기능이므로 /* 붙이지 않음에 유의.
마음 가는 길은 죽 곧은 길