Authentication credentials are required to ship logs to S3.
Follow these steps to obtain the credentials, store them as an AWS Secret, and configure external logging.
Refer to these instruction to create a new AWS IAM user in your AWS account.
Programmatic access
when creating the user and take note of the Access and Secret Key.This user, at a minimum, must have an associated policy with the s3:PutObject
action.
Sample AWS Policy (substitute S3_BUCKET_NAME):
copy{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": "s3:PutObject","Resource": "arn:aws:s3:::S3_BUCKET_NAME/*"}]}
Secrets
from the left menu.New
button.Name
for the secret, and select AWS
from the Secret Type list.Access Key
and Secret Key
and click Save
.External logging can be configured by using either the UI Console or CLI.
Org
in the left menu.External Logs
in the middle context menu.S3
and fill out the required fields.Save
.The prefix
will be the folder where the logs will be written.
The folder structure will follow the format:
PREFIX/ORG_NAME/YEAR/MONTH/DAY/HOUR/MINUTE/LOG_FILE.jsonl
The .jsonl file will contain ~1-3k of single line log entries in JSON.
Each entry will contain the following keys:
The external logging configuration can be created / updated using the CLI's cpln org patch ORG_NAME -f FILE.yaml
command.
Below is an example Org manifests (in YAML). Edit and save the YAML as a file and use it as an input to the CLI's cpln org patch ORG_NAME -f FILE.yaml
command.
Refer to the credential procurement section to obtain and configure the necessary credentials.
copykind: orgname: ORG_NAMEspec:logging:s3:bucket: S3_BUCKET_NAMEcredentials: //secret/AWS_SECRETprefix: /region: AWS_REGION