WAFV2 PutLoggingConfiguration raising AccessDeniedException without naming required permissions
LumaC0 opened this issue · comments
Describe the bug
wafv2 = boto3.client('wafv2')
wafv2.put_logging_configuration(LoggingConfiguration={
'ResourceArn': <arn>,
'LogDestinationConfigs': [<arn>]
})
The above code fails when the WAF logging configuration doesn't already exist and the executing role allows wafv2:PutLoggingConfiguration
in its permissions. The error:
ClientError: An error occurred (AccessDeniedException) when calling the PutLoggingConfiguration operation: You don't have the permissions that are required to perform this operation.
Could be more descriptive and tell me which permission is missing, like it does when wafv2:PutLoggingConfiguration
is missing from the IAM policy.
Expected Behavior
wafv2 = boto3.client('wafv2')
wafv2.put_logging_configuration(LoggingConfiguration={
'ResourceArn': <arn>,
'LogDestinationConfigs': [<arn>]
})
Outputs:
ClientError: An error occurred (AccessDeniedException) when calling the PutLoggingConfiguration operation: The following IAM permissions are needed to perform this operation: [permission1, permission2, permission3]
Current Behavior
wafv2 = boto3.client('wafv2')
wafv2.put_logging_configuration(LoggingConfiguration={
'ResourceArn': <arn>,
'LogDestinationConfigs': [<arn>]
})
Raises:
----> 1 waf.put_logging_configuration(LoggingConfiguration={
2 'ResourceArn': '<arn>',
3 'LogDestinationConfigs': ['<arn>']})
File ~/.asdf/installs/python/3.11.7/lib/python3.11/site-packages/botocore/client.py:553, in ClientCreator._create_api_method.<locals>._api_call(self, *args, **kwargs)
549 raise TypeError(
550 f"{py_operation_name}() only accepts keyword arguments."
551 )
552 # The "self" in this scope is referring to the BaseClient.
--> 553 return self._make_api_call(operation_name, kwargs)
File ~/.asdf/installs/python/3.11.7/lib/python3.11/site-packages/botocore/client.py:1009, in BaseClient._make_api_call(self, operation_name, api_params)
1005 error_code = error_info.get("QueryErrorCode") or error_info.get(
1006 "Code"
1007 )
1008 error_class = self.exceptions.from_code(error_code)
-> 1009 raise error_class(parsed_response, operation_name)
1010 else:
1011 return parsed_response
ClientError: An error occurred (AccessDeniedException) when calling the PutLoggingConfiguration operation: You don't have the permissions that are required to perform this operation.
Reproduction Steps
- Create a web application firewall in from the console making sure to leave the logging configuration disabled. copy the ARN
- create an s3 bucket with the bucket name prefixed with
aws-waf-logs-
- create a role or user and add allow
wafv2:PutLoggingConfiguration
in its IAM policy - set credential envvars for the account and role/user created above
- run the following code filling in ARNs of the waf and bucket
from boto3 import client
wafv2 = client("wafv2")
wafv2.put_logging_configuration(LoggingConfiguration={
'ResourceArn': '<waf_arn>',
'LogDestinationConfigs': ['<bucket_arn>']
})
Possible Solution
Add the required permissions to the error message
Additional Information/Context
No response
SDK version used
1.34.29
Environment details (OS name and version, etc.)
Linux Kernal: 6.8.5-arch1-1
This link: https://docs.aws.amazon.com/waf/latest/developerguide/logging-s3.html#logging-s3-permissions says exactly what's needed. I'm mostly concerned with the error message.
This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.