Hi @Iflorez! I'll inform the team today of your ticket and we'll get back to you on Monday. Thanks for your request.

Hi @JArguello-WMF, @Alex.lep.sp is working on this task.

As was done in T306571, @Alex.lep.sp requested my public PGP key today.
I followed the instructions that he shared and generated a key. I used the documentation to export the public key:

gpg --armor --output <new-file-name-where-key-will-go> --export <email>

Hi @Iflorez and @Alex.lep.sp ! Were you able to set up the account?

@JArguello-WMF I have an AWS account and now need:
a) access to the following groups: CloudWatchLogsReadOnlyAccess, StartQuery, GetQueryResults, and iam:CreateAccessKey
b) A password reset so that I can run through the process once more?

Context: I was able to decrypt the initial AWS password given to me over email. I reset the password as prompted and saved the password. Unfortunately I'm getting this error message now:

Your authentication information is incorrect. Please try again...For help, contact the administrator that provided you with your user name...

@Alex.lep.sp is aware, we're communicating overs Slack, and says that he's seen similar issues in the past

hey, all the permissions should be in place.
Irene, can you please validate?

Hi @Alex.lep.sp

1. Thank you for resetting my password and giving me an interim password to login with.

I reset my password.

2. As of today, I don't have basic permissions to query the log-stream logs directly. I'm not able to run queries. And, at the top of the page I see this message:

AccessDeniedException
User: arn:aws:iam::457151943714:user/iflorez is not authorized to perform: logs:DescribeQueryDefinitions on resource: arn:aws:logs:us-east-1:457151943714:log-group::log-stream: with an explicit deny in an identity-based policy

Note though that basic access is limiting as there's a cap on the number of logs one can access and there are download limits.
I'll need advanced permissions to run scripts.
I need these access groups: CloudWatchLogsReadOnlyAccess, StartQuery, GetQueryResults, and iam:CreateAccessKey in order to run our Daily Stats script file.

@Iflorez
All the requested permissions were granted earlier.
I've added additional permissions in AccessDeniedException from your comment + some of the permissions on-top, and I hope this should allow you to run the script.
Ping me in case of issues please.
Thx

@Iflorez hope the above will help, once you validate you have access, please let me know via this Phab ticket. Thanks!

@Alex.lep.sp Im still seeing the previous error message and am now getting a second access error message.

A request to DescribeQueries has failed because of an insufficient permission.
Starting on May 15, 2023, the logs:FilterLogEvents permission does not grant access to the StartQuery, StopQuery, DescribeQueries, GetLogGroupFields, GetLogRecord, or GetQueryResults actions. You must grant access to each of these actions explicitly.

AccessDeniedException
User:[] is not authorized to perform: logs:DescribeQueryDefinitions on resource: []log-stream: with an explicit deny in an identity-based policy

Call to debug account scheduled for tomorrow 9 AM PST.

After a short discussion we have activated a mandatory MFA for Irene's account, and now Irene is able to query the logs through the AWS Console.
Also we have found a way fetch the scripts from the repository, since local environment is not yet configured to access the git repos.
The next steps are:

• Irene will prepare local environment (export env vars, prepare python virtual env, etc) to run the data analyses scripts - most likely some Nat's help will be needed here.
• In case of any permission issues - @Iflorez will inform us here in the ticket, and we will try to debug it offline or arrange another debug session.

Thanks for the help @Alex.lep.sp !

@Iflorez I'll close the ticket now; please let me know if you need anything else on our side. Thanks!