Aws lambda 创建的CloudFormation Lambda不创建日志流/日志
我有一个包含lambda函数的CloudFormation模板。有关部分如下:Aws lambda 创建的CloudFormation Lambda不创建日志流/日志,aws-lambda,amazon-cloudformation,amazon-cloudwatch,Aws Lambda,Amazon Cloudformation,Amazon Cloudwatch,我有一个包含lambda函数的CloudFormation模板。有关部分如下: AWSTemplateFormatVersion: 2010-09-09 Parameters: Environment: Description: Environment name Type: String Default: Prod Resources: LambdaExecutionRole: Type: 'AWS::IAM::Role' Properties:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
Environment:
Description: Environment name
Type: String
Default: Prod
Resources:
LambdaExecutionRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Policies:
- PolicyName: !Join [ '-', ['lambda-log', !Ref Environment, 'sqs-distributor'] ]
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !GetAtt LambdaLogGroup.Arn
SqsDistributor:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: !Sub
...
...
Handler: index.handler
Role: !GetAtt LambdaExecutionRole.Arn
Runtime: nodejs8.10
Timeout: 120
MemorySize: 128
LambdaLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
RetentionInDays: 7
lambda函数不能按预期工作,但在通过cloudformation创建时也不会将任何内容记录到流中
我已经检查了Lambda函数的语法错误,还检查了ExecutionRole,它在创建时如下所示
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:765121849689:log-group:ProdSQSDistributor-LambdaLogGroup-1CVWUP6CZHAWX:*",
"Effect": "Allow"
}
]
}
日志组也已按预期就位。请使用以下代码解决您的问题。您需要将lambda函数替换为lambda函数名。在代码中,您没有授予创建日志组的权限。由于日志组创建,因此不存在访问权限。。无法创建日志流。如果您需要lambda,还允许策略访问/调用它 在json中的策略/代码下面,您可以根据需要转换为Yaml
"LambdaCommon": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "lambda_common",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/"
}
},
"LambdaBasicPolicy": {
"DependsOn": [
"LambdaCommon"
],
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "lambda_basic_policy",
"Roles": [
{
"Ref": "LambdaCommon"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:ListVersionsByFunction",
"lambda:ListTags",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:GetFunctionConfiguration",
"lambda:GetAlias",
"lambda:GetPolicy",
"logs:*",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
}
]
}
}
},
"LambdaLogGroup": {
"Type": "AWS::Logs::LogGroup",
"DependsOn": "LambdaFunction",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/lambda/",
{
"Ref": "LambdaFunction"
}
]
]
}
}
}
创建了一个日志组,该角色有权对该日志组执行操作,但在
AWS::Lambda::Function
定义中,我没有看到任何指定它将使用该日志组的内容:
AWS托管IAM策略提供对CloudWatch日志的写入权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
使用该策略将允许它创建一个要使用的日志组 不相关,但!Join['-',['lambda-log',!Ref-Environment,'sqs-distributor']
可以更清晰地写成!子lambda log-${Environment}-sqs分发服务器
能否包含模板的lambda函数部分?想知道角色
属性的价值,也要感谢有洞察力的链接。我没有意识到通过指定日志组名称会产生瓶颈