AWS CloudWatch
AWS CloudWatch is AWS's service for monitoring and observing your applications and resources. This integration allows you to forward your deployment and audit logs from env0 directly to CloudWatch log groups.
Prerequisites
Before you begin, make sure you have:
- Enabled OIDC in your env0 organization.
- Configured an Identity provider as explained in Set up an AWS OIDC authentication Guide.
Setup
To allow env0 to send logs to CloudWatch, you need an IAM policy with the necessary permissions. This policy will be attached to an IAM Role you use for OIDC authentication.
The policy allows env0 to create and write to two log groups: env0-deployments
and env0-audits
.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:env0-deployments",
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:env0-deployments:*",
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:env0-audits",
"arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:env0-audits:*"
}
]
}
Optional: Using a Log Group Prefix
If you manage multiple env0 organizations that log to the same AWS account, you can use a prefix to keep the logs separate. For example, a prefix like
prod/
would create log groups namedprod/env0-deployments
andprod/env0-audits
.To use a prefix, modify the Resource ARNs in the policy. For a prefix of
prod/
, your resource list would look like this:"Resource": [ "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:prod/env0-deployments", "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:prod/env0-deployments:*", "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:prod/env0-audits", "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:prod/env0-audits:*" ]
Self Configuration of CloudWatch Transporter
There are two ways to configure the integrations:
-
In the env0 app
In the organization's integrations page, click on CloudWatch and fill the form's fields:
-
Using environment variables
In the env0 platform you will need to configure the following environment variables in any scope to forward the deployment logs. These are the relevant environment variables:
Environment variable name Description Mandatory ENV0_CLOUDWATCH_ROLE_ARN
The ARN of the IAM role associated with your OIDC provider Yes ENV0_CLOUDWATCH_AWS_REGION
The AWS region where your log groups will reside Yes ENV0_CLOUDWATCH_SESSION_DURATION
The OIDC token session duration in seconds.
Defaults to 3600 (1 hour) if not set.No ENV0_CLOUDWATCH_LOG_GROUP_NAME_PREFIX
An optional prefix for your log group names. Must match the prefix used in your IAM policy No
env0 sets the log group name according to the log type:
Updated 21 days ago