Combined permissions of Fargate logging into single step

Merge permissions steps 3 & 4 together, move IAM policy download down into this step as a new tabbed section. The config file steps was too long and logically, the `kubectl apply` is the last sub-step, so the permissions were getting skipped by customers.
awsdocs · Feb 25, 2025 · 9a9b0fc · 9a9b0fc
1 parent 40e593d
commit 9a9b0fc
Showing 1 changed file with 29 additions and 17 deletions.
diff --git a/latest/ug/nodes/fargate-logging.adoc b/latest/ug/nodes/fargate-logging.adoc
@@ -166,12 +166,6 @@ data:
 ----
 kubectl apply -f aws-logging-cloudwatch-configmap.yaml
 ----
-.. Download the CloudWatch IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json[view the policy] on GitHub.
-+
-[source,bash,subs="verbatim,attributes"]
-----
-curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json
-----
 
 Amazon OpenSearch Service::
 *To create a `ConfigMap` for Amazon OpenSearch Service*
@@ -206,14 +200,6 @@ data:
 ----
 kubectl apply -f aws-logging-opensearch-configmap.yaml
 ----
-.. Download the OpenSearch IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json[view the policy] on GitHub.
-+
-[source,bash,subs="verbatim,attributes"]
-----
-curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json
-----
-+
-Make sure that OpenSearch Dashboards' access control is configured properly. The `all_access role` in OpenSearch Dashboards needs to have the Fargate Pod execution role and the IAM role mapped. The same mapping must be done for the `security_manager` role. You can add the previous mappings by selecting `Menu`, then `Security`, then `Roles`, and then select the respective roles. For more information, see link:tr/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/[How do I troubleshoot CloudWatch Logs so that it streams to my Amazon ES domain?,type="marketing"].
 
 Firehose::
 *To create a `ConfigMap` for Firehose*
@@ -248,20 +234,46 @@ data:
 ----
 kubectl apply -f aws-logging-firehose-configmap.yaml
 ----
+====
+
+. Set up permissions for the Fargate Pod execution role to send logs to your destination.
+====
+[role="tablist"]
+CloudWatch::
+.. Download the CloudWatch IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json[view the policy] on GitHub.
++
+[source,bash,subs="verbatim,attributes"]
+----
+curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/cloudwatchlogs/permissions.json
+----
+
+Amazon OpenSearch Service::
+.. Download the OpenSearch IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json[view the policy] on GitHub.
++
+[source,bash,subs="verbatim,attributes"]
+----
+curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/amazon-elasticsearch/permissions.json
+----
++
+Make sure that OpenSearch Dashboards' access control is configured properly. The `all_access role` in OpenSearch Dashboards needs to have the Fargate Pod execution role and the IAM role mapped. The same mapping must be done for the `security_manager` role. You can add the previous mappings by selecting `Menu`, then `Security`, then `Roles`, and then select the respective roles. For more information, see link:tr/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/[How do I troubleshoot CloudWatch Logs so that it streams to my Amazon ES domain?,type="marketing"].
+
+Firehose::
 .. Download the Firehose IAM policy to your computer. You can also https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/kinesis-firehose/permissions.json[view the policy] on GitHub.
 +
 [source,bash,subs="verbatim,attributes"]
 ----
 curl -O https://raw.githubusercontent.com/aws-samples/amazon-eks-fluent-logging-examples/mainline/examples/fargate/kinesis-firehose/permissions.json
 ----
 ====
-. Create an IAM policy from the policy file you downloaded in a previous step.
+
+.. Create an IAM policy from the policy file that you downloaded.
 +
 [source,bash,subs="verbatim,attributes"]
 ----
 aws iam create-policy --policy-name eks-fargate-logging-policy --policy-document file://permissions.json
 ----
-. Attach the IAM policy to the pod execution role specified for your Fargate profile with the following command. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`AmazonEKSFargatePodExecutionRole` with your Pod execution role (for more information, see <<fargate-sg-pod-execution-role>>).
+
+.. Attach the IAM policy to the pod execution role specified for your Fargate profile with the following command. Replace [.replaceable]`111122223333` with your account ID. Replace [.replaceable]`AmazonEKSFargatePodExecutionRole` with your Pod execution role (for more information, see <<fargate-sg-pod-execution-role>>).
 +
 [source,bash,subs="verbatim,attributes,quotes"]
 ----
@@ -415,4 +427,4 @@ Events:
   Warning  LoggingDisabled  <unknown>  fargate-scheduler                                              Disabled logging because aws-logging configmap was not found. configmap "aws-logging" not found
 ----
 
-The Pod events are ephemeral with a time period depending on the settings. You can also view a Pod's annotations using `kubectl describe pod [.replaceable]``pod-name```. In the Pod annotation, there is information about whether the logging feature is enabled or disabled and the reason.
+The Pod events are ephemeral with a time period depending on the settings. You can also view a Pod's annotations using `kubectl describe pod [.replaceable]``pod-name```. In the Pod annotation, there is information about whether the logging feature is enabled or disabled and the reason.