I am trying to put a subscription on a CW log group from a Lambda Function that is scanning for lambdas with the right tag. When calling the put_subscription_filter an Error is thrown:

"An error occurred (InvalidParameterException) when calling the PutSubscriptionFilter
 operation: Could not execute the lambda function. Make sure you have given CloudWatch Logs
 permission to execute your function."

Stated in the docs for put subscription filter iam:PassRole permission is needed. I have grant this. I have made sure it is not a premission issue for the Lambda function by giving it full admin rights.

By reading the error it indicates it is CW Logs that need permission to execute a function, my guess is that it is the subscribe destination function that they may mean. I have tried a lot of different things here but still no cigar.

Setting a subscription filter in the console is straight forward and no policy is modified or created as I can see.

Does any one have experience of this or any input?

CodePudding user response：

You need to add lambda Invoke Permission so that CloudWatch can send and execute lambda when logs are available

Using AWS CLI is simplest way

aws lambda add-permission \
    --function-name "helloworld" \
    --statement-id "helloworld" \
    --principal "logs.region.amazonaws.com" \
    --action "lambda:InvokeFunction" \
    --source-arn "arn:aws:logs:region:123456789123:log-group:TestLambda:*" 

Using console

 1. Go to Lambda Function
 2. Configuration -> Permissions tab
 3. Scroll down and Click Add permissions
 4. Choose "AWS service"
 5. Principal - CloudWatch log group ARN
 6. Action - Lambda:InvokeFunction
 7. Statement Id - policy statement name, anything meaningful 
 8. Save

Once done through CLI or console, try creating CloudWatch subscription to that lambda