GeekTopia


Never Stop Learning

Why Won't My Lambda Functions Write To Cloud Watch Logs

If you would like to see the TLDR version of this article please click TLDR;


Video Instruction

Yoube Video Instructions


Today we are going to review a topic that I hear very often from engineers getting started with Lambda. It is so common, I would almost say that I hear it once a week and will only take a few moments to fix.

First, let’s review the symptoms. You start building a Lambda function and you click Test. You are able to see any error messages and debug statements presented, and you are ready to add a trigger to invoke your function for you. After the trigger invokes the function, it is time to check the cloud watch logs to confirm the application code executed as expected. That is when you see there are no logs in CloudWach. The dredded banner across the top of the screen reading “There was an error loading Log Streams. Please try again by refreshing this page.” with a nice red background.

Error Writing To Cloud Watch Logs
There was an error loading Log Streams. Please try again by refreshing this page.

What Is The Cause?

When the Lambda function executes, one item it relies on for permissions is the role it is configured to assume. The Lambda function can only perform actions against the AWS API that the role allows. The problem lies in this execution role does not have the permissions to write the data to CloudWatch.

How Do I Resolve It?

The IAM Role assumed by the Lambda function needs the permissions "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", and "logs:DescribeLogStreams" to write create a log group, create a log stream, and then write the data to the stream. This is an example of a policy with those permissions as taken from the AWS Documentation.


                        {
                            "Version": "2012-10-17",
                            "Statement": [
                              {
                                "Effect": "Allow",
                                "Action": [
                                  "logs:CreateLogGroup",
                                  "logs:CreateLogStream",
                                  "logs:PutLogEvents",
                                  "logs:DescribeLogStreams"
                              ],
                                "Resource": [
                                  "arn:aws:logs:*:*:*"
                              ]
                            }
                           ]
                        }
                    

AWS provides a policy that already contains the necessary permissions to write to the CloudWatch logs named “AWSLambdaBasicExecutionRole”.

We can add this policy to the IAM Role using the following steps.

  • Start by navigating to the IAM portion of the AWS Web Console.
  • From the left hand menu, choose the roles tab.
  • Click the role used by your lambda function.
  • With the permissions tab open, choose “Attach Policies”.
  • In the search box, search for AWSLambdaBasicExecutionRole
  • Place a check next to the policy named “AWSLambdaBasicExecutionRole”. Ensure the type is an “AWS Managed Policy”
  • Click Attach Policy

Now that this policy has been added, the Lambda function is able to write to the cloud watch logs.

References Used