Only one user and it has CloudWatchFullAccess but I can't see CW logs

Question

When I run my lambda it fails. I want to see the logs but when I click "View logs in Cloudwatch" I get:

```
There was an error loading Log Streams
```

I only have one user and that user has CloudWatchFullAccess and AWSLambdaFullAccess.   
  
When I try to create a log stream I get:

```
There was an error creating your Log Stream. Please try again.
```

When I follow these instructions I get the same error: https://docs.aws.amazon.com/lambda/latest/dg/monitoring-functions-logs.html  
  
So what's wrong here?  
  
Edited by: mstracker on Jun 30, 2019 3:57 PM  
  
Edited by: mstracker on Jun 30, 2019 4:11 PM

Answer

I followed this article and recreated the function from scratch and it worked. Seems like the AWS XRay access might have been the issue.   
  
https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html

Answer

Hello  
  
Just in case, double check that your lambda function has the minimum role to write the logs in cloudwatch.  It should have a role that includes the AWSLambdaBasicExecutionRole policy.  
  
on the lambda function page, there is a monitoring tab where you can see if there are any issues. That might give you an idea of what else is needed. You can post the exact error message and maybe we can help more.

hope this helps,  
RT

Answer

In the Execution role I have:

```
{
  "roleName": "lambda_role",
  "policies": [
    {
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:us-east-2:696215482432:*"
          },
          {
            "Effect": "Allow",
            "Action": [
              "logs:CreateLogStream",
              "logs:PutLogEvents"
            ],
            "Resource": [
              "arn:aws:logs:us-east-2:696215482432:log-group:/aws/lambda/get-sheet-data:*"
            ]
          }
        ]
      },
      "name": "AWSLambdaBasicExecutionRole-11a867c9-e852-454d-a3f3-4b402295bada",
      "id": "ANPA2EGNNGBACNUXA63TP",
      "type": "managed",
      "arn": "arn:aws:iam::696215482432:policy/service-role/AWSLambdaBasicExecutionRole-11a867c9-e852-454d-a3f3-4b402295bada"
    }
  ],
  "trustedEntities": [
    "lambda.amazonaws.com"
  ]
}
```

Answer

I tried creating a brand new function. Ran the function then clicked "logs" and got this error:

```
 There was an error loading Log Streams. Please try again by refreshing this page.
 ```

At the top of the cloudwatch page. Can't create a log stream either.

Answer

Hello  
To make it simple, try to run your function using the basic lambda role "AWSLambdaBasicExecutionRole"  
 if that works, then start limiting it.  
  
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html  
  
hope this helps  
RT

Only one user and it has CloudWatchFullAccess but I can't see CW logs

関連するコンテンツ