Denied Access to logs:CreateLogStream action as Root User

Question

Hello.

I am new to AWS and was writing a function in AWS Lambda to create a log group and log stream. When I test in AWS Lambda, the log group is successfully created, but an error occurs when trying to create a log stream for that log group. As the root user, for some reason, I am getting a Client Error: Access Denied Exception because my root user "is not authorized to perform: logs:CreateLogStream" on the log_stream resource "because no identity-based policy allows the logs:CreateLogStream action." However, when I code something similar in my local IDE with Boto3, everything works as expected.

Appreciate any help!

Accepted Answer

Hi,

when you run an AWS Lambda function, the function assumes a AWS IAM role. This is called the function execution role. The function has only the permissions that are defined in that role, regardless of what the permissions of your IAM user or role are. 
Please check the IAM role of the function and make sure that the correct permissions are assigned.

You can find more information here: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html

Denied Access to logs:CreateLogStream action as Root User

Relevanter Inhalt