How to create CloudWatch logs trigger for AWS Lambda function using aws SDK?
Question
I according to https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CloudWatchLogs.html#putSubscriptionFilter-property
nodejs
const AWS = require('aws-sdk');
AWS.config = new AWS.Config
({
accessKeyId: "AKIA******",
secretAccessKey: "6RJf******vy",
});
const cloudwatchlogs = new AWS.CloudWatchLogs({ region: 'a******1' });
var params = {
destinationArn: 'arn:aws:lambda:******:function:******',
filterName: 'LambdaStream_******',
filterPattern: '?Error ?Waring ?error ?"node(1)" ?info ?INFO',
logGroupName: '/aws/lambda/******',
distribution: 'ByLogStream',
};
cloudwatchlogs.putSubscriptionFilter(params, function (err, data) {
if (err) console.log( err, err.stack);
else console.log(data);
});
I will get the following error:
{ InvalidParameterException: Could not execute the lambda function. Make sure you have given CloudWatch Logs permission to ex ecute your function.
at Request.extractError
......
(/mnt/******/node_modules/aws-sdk/lib/sequential_executor.js:116:18) message: 'Could not execute the lambda function. Make sure you have given CloudWatch Logs permission to execute your function.', code: 'InvalidParameterException', time: 2019-03-21T03:05:47.966Z, requestId: '39c9******3', statusCode: 400, retryable: false, retryDelay: ******86 } InvalidParameterException: Could not execute the lambda function. Make sure you have given CloudWatch Logs permission to execute your function.
supplement: enter image description here
I gave these executive roles:
AWSLambdaFullAccess
CloudWatchFullAccess
CloudWatchLogsFullAccess
AmazonVPCFullAccess
AWSLambdaVPCAccessExecutionRole
AWSLambdaRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutSubscriptionFilter",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
3 answers
solution1
0 2019-03-21 06:56:46
var params = {
Action: 'lambda:InvokeFunction', /* required */
FunctionName: 'arn:aws:lambda:******:******:function:******', /* required */
Principal: 'logs.*region*.amazonaws.com', /* required */
StatementId: '******', /* required */
// SourceAccount: '******',
// SourceArn: 'arn:aws:logs:::******:******'
};
lambda.addPermission(params, function (err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
solution2
0 2019-03-21 09:31:50
This is all you need in the role policy for having CloudWatch Full Access.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "logs:*",
"Resource": "*"
}
]
}
solution3
0 2020-11-02 20:05:11
As specified in the docs, you need to grant permission to CloudWatch Logs the right to execute your Lambda function.
To perform this task, you can use this CLI command:
aws lambda add-permission --function-name "lamda1" --statement-id "lamda1" --principal "logs.us-west-2.amazonaws.com" --action "lambda:InvokeFunction" --source-arn "arn:aws:logs:us-west-2:xxxxxx047983:log-group:testgroup:*" --source-account "xxxxxx047983"
Make sure you replace the function name with your function name and replace the xxxxxx with your account details. For more information, see the Amazon CloudWatch Logs Guide .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.