6

嗨,我已经安排了 Cloudwatch规则,以便在每周三 GTM 14.15 运行,目标是 AWS Batch,它总是返回FailedInvocation。我从关联的指标中看到了 FailedInvocation 事件

但是没有关于错误的日志,我无法理解这个问题。

我已经按照本教程进行操作:https : //docs.aws.amazon.com/batch/latest/userguide/batch-cwe-target.html 我从几个小时就被困在这里有什么建议吗?

配置

AWS 批处理目标配置如下:

  • 作业队列= arn:..
  • 工作定义 = arn:...
  • 职位名称 =姓名

与目标关联的角色具有以下策略:

  • arn:aws:iam::aws:policy/service-role/AWSBatchServiceEventTargetRole

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "batch:SubmitJob"
            ],
            "Resource": "*"
        }
      ]
      }
    
  • arn:aws:iam::216314997889:role/awsInvokeActionOnEc2

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:Describe*",
                "ec2:Describe*",
                "ec2:RebootInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": "*"
        }
    ]
    }
    
  • 信任关系

    {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "events.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }
     ]
    }
    
4

3 回答 3

5

启用 CloudTrail 以在其日志中找出 FailedInvocation 原因。我同意通过 CloudTrail 找出失败的原因很糟糕。但就目前而言,仅此而已。面临同样的问题并找到了输入

于 2018-05-09T10:33:34.533 回答
0

如果您正在寻找调用失败的原因,请参阅其他答案,除非您尝试实施 AWS::Events::Rule 并且您看到调用失败。以下答案可能会解决问题并否定需要查找这些不存在的日志。

Cloudwatch failedinvocation 错误没有可用的日志

于 2020-09-11T21:29:32.257 回答
0

如果有人遇到针对 Cloudwatch 日志组的事件规则的 FailedInvocations,这很可能是由于缺少允许 AWS Events 服务创建 Cloudwatch 日志的“Cloudwatch 日志资源策略”。如果您通过控制台创建规则,则应该有一个自动配置的适当规则。您可以检查您是否已配置一个:

aws logs describe-resource-policies

如果您已经配置了适当的 Cloudwatch 日志资源策略,您应该会看到如下内容:

{
    "resourcePolicies": [
        {
            "policyName": "TrustEventsToStoreLogEvents",
            "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"TrustEventsToStoreLogEvent\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"events.amazonaws.com\",\"delivery.logs.amazonaws.com\"]},\"Action\":[\"logs:PutLogEvents\",\"logs:CreateLogStream\"],\"Resource\":\"arn:aws:logs:eu-central-1:1234567890:log-group:/aws/events/*:*\"}]}",
            "lastUpdatedTime": 1641611871623
        }
    ]
}

但是,如果您已经使用 Terraform(甚至可能是 Cloudformation)配置了规则,那么这可能不会自动配置。

这是一个示例 Terraform 摘录,用于提供与通过控制台自动配置的策略相匹配的策略:

data "aws_iam_policy_document" "events_delivery_logs_write_logs" {
  statement {
    sid = "TrustEventsToStoreLogEvent"

    actions = [
      "logs:CreateLogStream",
      "logs:PutLogEvents",
    ]

    resources = ["arn:${data.aws_partition.current.partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/events/*:*"]

    principals {
      identifiers = [
        "events.amazonaws.com",
        "delivery.logs.amazonaws.com"
      ]
      type = "Service"
    }
  }
}

resource "aws_cloudwatch_log_resource_policy" "events_delivery_logs_write_logs" {
  policy_document = data.aws_iam_policy_document.events_delivery_logs_write_logs.json
  # This is the standard name this is utilized when creating a CW event rule -> CW log group through the console
  policy_name = "TrustEventsToStoreLogEvents"
}

基础设施:

于 2022-01-08T07:05:10.033 回答