Put (Lambda) subscription on CW Logs group

Question

I am trying to put a subscription on a CW log group from a Lambda Function that is scanning for lambdas with the right tag. When calling the put_subscription_filter an Error is thrown:

"An error occurred (InvalidParameterException) when calling the PutSubscriptionFilter
 operation: Could not execute the lambda function. Make sure you have given CloudWatch Logs
 permission to execute your function."

Stated in the docs for put subscription filter iam:PassRole permission is needed. I have grant this. I have made sure it is not a premission issue for the Lambda function by giving it full admin rights.

By reading the error it indicates it is CW Logs that need permission to execute a function, my guess is that it is the subscribe destination function that they may mean. I have tried a lot of different things here but still no cigar.

Setting a subscription filter in the console is straight forward and no policy is modified or created as I can see.

Does any one have experience of this or any input?

Answer 1

You need to add lambda Invoke Permission so that CloudWatch can send and execute lambda when logs are available

Using AWS CLI is simplest way

aws lambda add-permission \
    --function-name "helloworld" \
    --statement-id "helloworld" \
    --principal "logs.region.amazonaws.com" \
    --action "lambda:InvokeFunction" \
    --source-arn "arn:aws:logs:region:123456789123:log-group:TestLambda:*" 

Using console

 1. Go to Lambda Function
 2. Configuration -> Permissions tab
 3. Scroll down and Click Add permissions
 4. Choose "AWS service"
 5. Principal - CloudWatch log group ARN
 6. Action - Lambda:InvokeFunction
 7. Statement Id - policy statement name, anything meaningful 
 8. Save

Once done through CLI or console, try creating CloudWatch subscription to that lambda