Cloudwatch logging IAM error


Relevant information to this issue:

  • OS: Running custom docker image Node v16.15.1
  • Programming language and version: NestJS application v9
  • Link to your application - Qovery


Hi all. We are having an issue with some new applications we have deployed.
We are attempting to send logs to cloudwatch inside our application and are getting the below error. The application is using this package
Have created separate IAM credentials with CloudWatchFullAccess Policy applied.
This logging works fine when running the application locally.
Note: Applications that we created > 6 months ago with same logging setup have worked fine. So not sure if it’s related to a recent change.

app-zeb6aa...7b77-jxp78 1f7...6d2 13 Feb, 11:43:44:75 AccessDeniedException: User: arn:aws:sts::630221648069:assumed-role/qovery-eks-workers-z04ddd8fb/i-0901d6d6b0cf754a2 is not authorized to perform: logs:DescribeLogStreams on resource: arn:aws:logs:ap-southeast-2:630221648069:log-group:rome-api-gql-b2c-staging:log-stream: because no identity-based policy allows the logs:DescribeLogStreams action app-zeb6aa...7b77-jxp78 1f7...6d2

It’s potentially related some IAM role that qovery is creating.
Are you able to provide any insight on this please?


Can you please double check you’re using locally the same role as arn:aws:sts::630221648069:assumed-role/qovery-eks-workers-z04ddd8fb/i-0901d6d6b0cf754a2?

As if it works locally and not on Qovery, I’m guessing it’s not the same user/role used with different permissions. There is absolutely no reason to have differences as you’re using a library doing this directly in your code.

Also, can you please paste this role permission, so we’ll see what kind of permissions are applied to this role?


Hi Pierre,

Thanks for the insight. You were correct in that the role permission wasn’t setup correctly in IAM.
Was just confusing that the error mention qovery so thought it might have been something from your end.


1 Like

No problem @David_Armour

By the way, I don’t know if you recently saw Qovery changelogs, but we introduced Role support directly inside pods.

You’ve already done some work to have the lib managing roles, so it may not be relevant to change this, however for future projects, it may be interesting to know that it’s supported and simple to use with Qovery :slight_smile:

You can find a tutorial here: Use AWS IAM roles with Qovery | Qovery

Best regards,