How can I give cloudwatch log permission to invoke a lambda?

Question

I am using this command to stream log to a lambda function.

aws logs put-subscription-filter --log-group-name $LOG_GROUP_NAME --filter-name $LAMBDA_NAME --filter-pattern '' --destination-arn $LAMBDA_ARN

but got this error:

An error occurred (InvalidParameterException) when calling the PutSubscriptionFilter operation: Could not execute the lambda function. Make sure you have given CloudWatch Logs permission to execute your function.

It seems the log doesn't have permission to invoke my lambda. How can I give the permission? There will be hundreds of log group in my account. I don't want to give permission to each log group one by one. Is there a solution to allow any log to invoke the lambda function?

score 6 · Accepted Answer · answered Jan 12 '21 at 01:32

6

The AWS docs provide AWS CLI example of how to do it. You would have to adjust the example to your setup:

aws lambda add-permission \
    --function-name "helloworld" \
    --statement-id "helloworld" \
    --principal "logs.region.amazonaws.com" \
    --action "lambda:InvokeFunction" \
    --source-arn "arn:aws:logs:region:123456789123:log-group:TestLambda:*" \
    --source-account "123456789012"

answered Jan 12 '21 at 01:32

Marcin

215,873
14
235
294

1

This doesn't work, still getting the message – Juan David Ramirez Villegas May 11 '22 at 20:51

score 2 · Answer 2 · answered Oct 08 '21 at 17:26

Cloudformation script

LogGroupInvokeLambdaPermission:
  Type: AWS::Lambda::Permission
  Properties:
    FunctionName: !GetAtt YourLambda.Arn
    Action: lambda:InvokeFunction
    Principal: logs.amazonaws.com
    SourceAccount: !Ref 'AWS::AccountId'
    SourceArn: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${LambdaThatWritesLogs}:*'

score 0 · Answer 3 · answered Oct 27 '22 at 06:28

If you're using AWS CDK and having this problem, I was able to fix it by adding "logs:PutLogsEvents" for the CloudWatch Logs Group to the Lambda Function Role Policy:

logs_processing_lambda = _lambda.Function(...)

cloudwatch_logs = aws_logs.logs.LogGroup(
    scope=self,
    id="logs",
    removal_policy=RemovalPolicy.DESTROY,
    retention=logs.RetentionDays.TWO_WEEKS,
)

lambda_role = iam.PolicyStatement(
    effect=iam.Effect.ALLOW,
    actions=[
        "logs:PutLogEvents",
    ],
    resources=[cloudwatch_logs.log_group_arn],
)

logs_processing_lambda.add_to_role_policy(lambda_role)

lambda_dest = aws_logs_destinations.destinations.LambdaDestination(
    fn=logs_processing_lambda, add_permissions=True
)

cloudwatch_logs.add_subscription_filter(
    id="lambdaSubscription",
    destination=lambda_dest,
    filter_pattern=logs.FilterPattern.all_events(),
)

How can I give cloudwatch log permission to invoke a lambda?

3 Answers3