我有一个包含lambda函数的CloudFormation模板。相关部分是
AWSTemplateFormatVersion: 2010-09-09
Parameters:
Environment:
Description: Environment name
Type: String
Default: Prod
Resources:
LambdaExecutionRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Policies:
- PolicyName: !Join [ '-', ['lambda-log', !Ref Environment, 'sqs-distributor'] ]
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !GetAtt LambdaLogGroup.Arn
LambdaLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
RetentionInDays: 7
lambda函数无法按预期运行,但通过cloudformation创建时,也不会将任何内容记录到流中
我已经检查了Lambda函数是否存在语法错误,还检查了ExecutionRole,创建后看起来像这样
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:765121849689:log-group:ProdSQSDistributor-LambdaLogGroup-1CVWUP6CZHAWX:*",
"Effect": "Allow"
}
]
}
“日志”组也位于预期的位置。
答案 0 :(得分:1)
创建了一个LogGroup,并且该角色有权在该LogGroup上执行操作,但是在AWS::Lambda::Function定义中我看不到任何指定它将使用该LogGroup的内容:
Specify log group for an AWS lambda?
AWS管理的IAM策略arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Provides write permissions to CloudWatch Logs:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
使用该策略将允许它创建将使用的LogGroup。
答案 1 :(得分:0)
请使用以下代码解决您的问题。您需要用lambda函数名称替换LambdaFunction。在您的代码中,您无权访问创建日志组。由于没有创建日志组的访问权限,因此无法创建日志流。如果需要,还允许策略访问/调用您的lambda。
在json中的策略/代码下方,您可以根据需要转换为Yaml。
"LambdaCommon": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "lambda_common",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/"
}
},
"LambdaBasicPolicy": {
"DependsOn": [
"LambdaCommon"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "lambda_basic_policy",
"Roles": [
{
"Ref": "LambdaCommon"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:ListVersionsByFunction",
"lambda:ListTags",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:GetFunctionConfiguration",
"lambda:GetAlias",
"lambda:GetPolicy",
"logs:*",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
}
]
}
}
},
"LambdaLogGroup": {
"Type": "AWS::Logs::LogGroup",
"DependsOn": "LambdaFunction",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/lambda/",
{
"Ref": "LambdaFunction"
}
]
]
}
}
}