I have viewer-request and origin-response Lambda functions deployed to a CloudFront distribution, which are firing, but not logging to CloudWatch. I have spent a considerable amount of time researching this topic, and have run through all advice from other posts including:
Checking all regions for logs, as I know that they CloudWatch logs will be created in the region which the labmda#edge function runs. No logs in any of them.
I have checked that the AWSServiceRoleForCloudFrontLogger role exists.
Interestingly when I purposefully code in an error into one of Lambda functions, I do get logs created within a group named /aws/cloudfront/LambdaEdge/<cloudfront distribution id> containing error logs, however there is no output from the console.log statements here.
For the life of me I can't work out how I can enable logging of ALL requests, both successes and failures, to CloudWatch, containing my debug statements using console.log().
The AWSServiceRoleForCloudFrontLogger contains a single policy AWSCloudFrontLogger:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:/aws/cloudfront/*"
}
]
}
EDIT:
Below is the AWS role suggested by AWS support. I can confirm this worked and resolved the issue.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}```
The issue most probably is that Lambda does not have the permissions to output the logs into CloudWatch.
Can you double check the Lambda function execution role permissions?
Related Link : Can't get AWS Lambda function to log (text output) to CloudWatch
Explanation
So there are two kinds of logs here, hence you have to provide permissions to CloudWatch at two different places.
Logs that you put in your Lambda function (using console.log), since these logs are to be published by the function to CloudWatch, function execution role should have the permission to CloudWatch. This is true irrespective of who triggers the Lambda function.
Now comes L#E, sometimes you might end up modifying request/response in a way that is not valid as per CloudFront. In these scenarios only ClodFront has the knowledge that you messed up(your Lambda function doesn't know this) and it publishes this knowledge in form of logs to CloudWatch. Now since this is a different entity, it needs it own permissions to push the logs to CloudWatch(which you had provided via AWSServiceRoleForCloudFrontLogger).
Related
I have a lambda in AWS and in the console under Monitoring, it shows a warning:
when I click the edit button, it says: The required permissions were not found. The Lambda console will attempt to add them to the execution role..
but my lambda already has this policy in its role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
"xray:GetSamplingRules",
"xray:GetSamplingTargets",
"xray:GetSamplingStatisticSummaries"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
I wonder what else it needs in order to enable active tracing?
$ aws lambda update-function-configuration --function-name my-function \
--tracing-config Mode=Active
I enabled the tracing using the above command and below mentiond permissions:
$ aws lambda get-function --function-name mylambda | jq .Configuration.TracingConfig
{
"Mode": "Active"
}
And I was able to see the corresponding traces. The strange thing it was complaining the whole time in the UI for the latest version as well saying The required permissions were not found. The Lambda console will attempt to add them to the execution role. even though there were permissions in place. So I am guessing it might be a bug in the UI unless someone can add more information about it.
As as I keep hitting save and it keeps adding a new policy to the lambda execution role and simultaneously complaining too about the same warning message.
Using AWS Lambda with AWS X-Ray
Only these permissions needed as described in the doc.
Lambda needs the following permissions to send trace data to X-Ray. Add them to your function's execution role.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
This is helpful when we have multiple versions deployed and want to test a specific version like dev/test/prod etc.
Tracing mode is part of the version-specific configuration that is locked when you publish a version of your function. You can't change the tracing mode on a published version.
I'm getting this error message when trying to see the log file in AWS CloudWatch for my AWS Lambda function.
An error occurred while describing log streams.
The specified log group does not exist.
Log group does not exist
The specific log group: /aws/lambda/xxxxx does not exist in this account or region.
By the way, I'm using the Singapore region.
Make sure that your Lambda function's execution role has sufficient permissions to write logs to CloudWatch, and that the log group resource in the IAM policy includes your function's name.
In the IAM console, review and edit the IAM policy for the execution role to make sure that:
The write actions CreateLogGroup and CreateLogStream are allowed. You should attach these policies in the IAM roles of the Lambda function
Note: If you don't need custom permissions for your function, you can attach the managed policy AWSLambdaBasicExecutionRole, which allows Lambda to write logs to CloudWatch.
The AWS Region specified in the Amazon Resource Name (ARN) is the
same as your Lambda function's Region.
The log-group resource includes your Lambda function name. For
example, if your function is named myLambdaFunction, the log-group is
/aws/lambda/myLambdaFunction.
Here is an example of the permissions in the JSON format
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:region:accountId:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
" arn:aws:logs:region:accountId:log-group:/aws/lambda/functionName:*"
]
}
]
}
I have a lambda function that is set up as a trigger on an S3 bucket and it gets called correctly but the lambda function fails when calling S3.getObject.
Do I need to separately set permissions for the lambda function in order to allow it to call getObject on the bucket that triggered the event?
UPDATE:
There seems to be a bug with AWS Amplify that means the S3Trigger bucket permissions get replaced by any API permissions you add. They both create a policy using the same name and it seems whichever gets created last ends up replacing the previous one.
I worked around this by renaming the S3 trigger policy.
Yes you need to provide a Lambda execution role to access your Amazon S3 bucket.
You will can use a policy similar to this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*"
]
}
]
See https://aws.amazon.com/premiumsupport/knowledge-center/lambda-execution-role-s3-bucket/
I've been trying in vain to see logs for my lambda function. No matter what I see this:
To be clear, the lambda function runs properly. I just can't see the logs at all.
I've recreated the function multiple times to make sure it wasn't me accidentally mucking with a setting that disabled logging.
My steps:
From the AWS Lambda function page, create a new function. I'm using nodejs 8.10, but it seems to fail even if I use a 6.x version.
Upload a zip file with my function (including the node_modules directory, package.json and package-lock.json as well) to S3 into testbucket with the filename thumbnails.zip.
Use this command to publish my lambda function from S3: aws lambda update-function-code --function-name transcode-v2 --s3-bucket mytestbucket --s3-key thumbnails.zip.
I can test my function with sample data and the test button.
I can also invoke it from the CLI and it seems to "work" (in that it runs)
I always see this message when I go to cloud logs: There was an error loading Log Streams. Please try again by refreshing this page. I've tried recreating the function twice and this does not fix it.
Anyone know what is wrong here? The function seems to work under test (meaning, I see logs inside the test logging dialog), and when I invoke from the command line. But, nothing ever gets into the cloud logging page except for that error.
I can see that invocations are being triggered from AWS.
When an AWS role is created, you must provide an IAM Role that will be used by the Lambda function. The permissions associated with the role will grant access to AWS services and resources required by the Lambda function.
There is a default AWSLambdaBasicExecutionRole that provides:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
These permissions allow the Lambda function to write log information to Amazon CloudWatch Logs.
There are other available Roles too, such as AWSLambdaExecute:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::*"
}
]
}
So, either use one of these pre-provided roles, or add similar permissions to the Role that your Lambda function is using.
I'm currently working on a lambda#edge function.
I cannot find any logs on CloudWatch or other debugging options.
When running the lambda using the "Test" button, the logs are written to CloudWatch.
When the lambda function is triggered by a CloudFront event the logs are not written.
I'm 100% positive that the event trigger works, as I can see its result.
Any idea how to proceed?
Thanks ahead,
Yossi
1) Ensure you have provided permission for lambda to send logs to cloudwatch. Below is the AWSLambdaBasicExecutionRole policy which you need to attach to the exection role which you are using for your lambda function.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
2) Lambda creates CloudWatch Logs log streams in the CloudWatch Logs regions closest to the locations where the function is executed. The format of the name for each log stream is /aws/lambda/us-east-1.function-name where function-name is the name that you gave to the function when you created it. So ensure you are checking the cloudwatch logs in the correct REGION.
In case anyone finds it useful.
The fact that AWS prefixes your function name, which breaks the built-in "CloudWatch at a glance" Dashboard, and that Lambda#Edge runs across multiple regions inspired me to create this CloudWatch Dashboard template that gives you similar standard monitoring for all regions in one dashboard.