By using AWS re:Post, you agree to the Terms of Use
/AWS Lambda@Edge created using AWS CDK doesn't put Log to CloudWatch/

AWS Lambda@Edge created using AWS CDK doesn't put Log to CloudWatch

0

I created a simple Lambda@Edge function like below.

'use strict';

exports.handler =  async function(event, context, callback) {
    const cf = event.Records[0].cf;
    console.log('Record: ', JSON.stringify(cf, null, 2));
    console.log('Context: ', JSON.stringify(context, null, 2));
    console.log('Request: ', JSON.stringify(cf.request, null, 2));
    callback(null, cf.request);
}

And I deployed it using AWS CDKv2 `experimental EdgeFunction like below

        const edgeFunction = new cloudfront.experimental.EdgeFunction(this, 'EdgeFunction', {
            runtime: Runtime.NODEJS_14_X,
            handler: 'index.handler',
            code: Code.fromAsset(path.join(__dirname, '../../../../lambda/ssr2')),
        });

and also I set it up as edge function for a Distribution

        const distribution = new Distribution(this, 'Distribution', {
            defaultBehavior: {
                origin,
                cachePolicy: CachePolicy.CACHING_DISABLED,
                viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
                edgeLambdas: [
                    {
                        functionVersion: edgeFunction.currentVersion,
                        eventType: LambdaEdgeEventType.VIEWER_REQUEST,
                    }
                ]
            },

But when I tried sending the request to the Distribution, the log didn't show up anything.

I checked the permission, the role already has permission

Allow: logs:CreateLogGroup
Allow: logs:CreateLogStream
Allow: logs:PutLogEvents

I expect the function write logs to the CloudWatch. What did I miss?

UPDATE 1

Below is the role document,

{
    "sdkResponseMetadata": null,
    "sdkHttpMetadata": null,
    "partial": false,
    "permissionsBoundary": null,
    "policies": [
      {
        "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
        "document": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
              ],
              "Resource": "*"
            }
          ]
        },
        "id": "ANPAJNCQGXC425412345",
        "name": "AWSLambdaBasicExecutionRole",
        "type": "managed"
      }
    ],
    "resources": {
      "logs": {
        "service": {
          "icon": "data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgNjQgNjQiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgPGcgdHJhbnNmb3JtPSJzY2FsZSguOCkiPgogICAgPGRlZnM+CiAgICAgIDxsaW5lYXJHcmFkaWVudCB4MT0iMCUiIHkxPSIxMDAlIiB4Mj0iMTAwJSIgeTI9IjAlIiBpZD0iYSI+CiAgICAgICAgPHN0b3Agc3RvcC1jb2xvcj0iI0IwMDg0RCIgb2Zmc2V0PSIwJSIvPgogICAgICAgIDxzdG9wIHN0b3AtY29sb3I9IiNGRjRGOEIiIG9mZnNldD0iMTAwJSIvPgogICAgICA8L2xpbmVhckdyYWRpZW50PgogICAgPC9kZWZzPgogICAgPGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgPHBhdGggZD0iTTAgMGg4MHY4MEgweiIgZmlsbD0idXJsKCNhKSIvPgogICAgICA8cGF0aCBkPSJNNTUuMDYgNDYuNzc3YzAtMy45MDktMy4yMDItNy4wOS03LjEzOC03LjA5LTMuOTM1IDAtNy4xMzYgMy4xODEtNy4xMzYgNy4wOSAwIDMuOTEgMy4yIDcuMDkgNy4xMzYgNy4wOXM3LjEzNy0zLjE4IDcuMTM3LTcuMDltMi4wMSAwYzAgNS4wMTEtNC4xMDMgOS4wODctOS4xNDcgOS4wODctNS4wNDMgMC05LjE0Ny00LjA3Ni05LjE0Ny05LjA4NyAwLTUuMDEgNC4xMDQtOS4wODYgOS4xNDctOS4wODYgNS4wNDQgMCA5LjE0OCA0LjA3NiA5LjE0OCA5LjA4Nm04LjQ0IDEzLjY5N0w1OC41IDU0LjIwM2ExMy4wMzMgMTMuMDMzIDAgMDEtMS45NDcgMi4xNmw2Ljk5OCA2LjI3YTEuNDc0IDEuNDc0IDAgMDAyLjA2Ni0uMTA3IDEuNDUzIDEuNDUzIDAgMDAtLjEwOC0yLjA1Mm0tMTcuNTg4LTIuODEyYzYuMDQzIDAgMTAuOTU4LTQuODgzIDEwLjk1OC0xMC44ODVzLTQuOTE1LTEwLjg4NC0xMC45NTgtMTAuODg0Yy02LjA0MSAwLTEwLjk1NyA0Ljg4Mi0xMC45NTcgMTAuODg0IDAgNi4wMDIgNC45MTYgMTAuODg1IDEwLjk1NyAxMC44ODVtMTkuMTkgNi4yQTMuNDgzIDMuNDgzIDAgMDE2NC41MjkgNjVhMy40NzUgMy40NzUgMCAwMS0yLjMyMi0uODgzTDU0LjkzMSA1Ny42YTEyLjkzNSAxMi45MzUgMCAwMS03LjAwOSAyLjA2Yy03LjE1IDAtMTIuOTY3LTUuNzc5LTEyLjk2Ny0xMi44ODIgMC03LjEwMiA1LjgxNy0xMi44ODEgMTIuOTY3LTEyLjg4MSA3LjE1MSAwIDEyLjk2OSA1Ljc3OSAxMi45NjkgMTIuODgxIDAgMi4wMzgtLjQ5MiAzLjk2LTEuMzQ0IDUuNjc0bDcuMzA5IDYuNTRhMy40NDQgMy40NDQgMCAwMS4yNTYgNC44NzJNMjEuMjggMjkuMzkzYzAgLjUxOS4wMzIgMS4wMzYuMDk0IDEuNTM2YS45OTQuOTk0IDAgMDEtLjgyMyAxLjEwNmMtMi40NzIuNjM0LTYuNTQgMi41NTMtNi41NCA4LjMxIDAgNC4zNDggMi40MTMgNi43NDggNC40MzkgNy45OTYuNjkxLjQzMyAxLjUxLjY2NCAyLjM3My42NzNsMTIuMTIyLjAxMS0uMDAyIDEuOTk3LTEyLjEzMS0uMDFjLTEuMjQ2LS4wMTQtMi40MjgtLjM1MS0zLjQyOC0uOTc3QzE1LjM3NyA0OC43OTcgMTIgNDUuODkgMTIgNDAuMzQ1YzAtNi42ODMgNC42LTkuMTUzIDcuMy0xMC4wMjYtLjAyLS4zMDctLjAzLS42MTctLjAzLS45MjYgMC01LjQ2IDMuNzI4LTExLjEyMyA4LjY3Mi0xMy4xNzEgNS43ODItMi40MDcgMTEuOTA4LTEuMjE0IDE2LjM4NCAzLjE4OSAxLjM4OCAxLjM2NCAyLjUyOSAzLjAyIDMuNDA0IDQuOTM3YTYuNTA5IDYuNTA5IDAgMDE0LjE1NC0xLjUwMmMzLjAwMiAwIDYuMzgyIDIuMjY0IDYuOTg0IDcuMjE1IDIuODEyLjY0NCA4Ljc1MyAyLjg5NCA4Ljc1MyAxMC4zNjIgMCAyLjk4MS0uOTQxIDUuNDQ0LTIuNzk4IDcuMzE5bC0xLjQzMy0xLjQwMWMxLjQ3My0xLjQ4OCAyLjIyLTMuNDc5IDIuMjItNS45MTggMC02LjUzMi01LjUwNC04LjE1Ny03Ljg3My04LjU1MWExLjAwMiAxLjAwMiAwIDAxLS44MjMtMS4xNTdjLS4zMjktNC4wNTUtMi43NTMtNS44NzItNS4wMy01Ljg3Mi0xLjQzNyAwLTIuNzg0LjY5NS0zLjY5NyAxLjkwN2ExLjAwNiAxLjAwNiAwIDAxLTEuNzUtLjI1OGMtLjgyMy0yLjI2Ni0yLjAxLTQuMTcxLTMuNTI1LTUuNjYxLTMuODgtMy44MTYtOS4xODQtNC44NS0xNC4xOTUtMi43NjYtNC4xNyAxLjcyNy03LjQzNyA2LjcwMi03LjQzNyAxMS4zMjgiIGZpbGw9IiNGRkYiLz4KICAgIDwvZz4KICA8L2c+Cjwvc3ZnPgo=",
          "name": "Amazon CloudWatch Logs"
        },
        "statements": [
          {
            "action": "logs:CreateLogGroup",
            "effect": "Allow",
            "resource": "*",
            "service": "logs",
            "source": {
              "index": "0",
              "policyName": "AWSLambdaBasicExecutionRole",
              "policyType": "managed"
            }
          },
          {
            "action": "logs:CreateLogStream",
            "effect": "Allow",
            "resource": "*",
            "service": "logs",
            "source": {
              "index": "0",
              "policyName": "AWSLambdaBasicExecutionRole",
              "policyType": "managed"
            }
          },
          {
            "action": "logs:PutLogEvents",
            "effect": "Allow",
            "resource": "*",
            "service": "logs",
            "source": {
              "index": "0",
              "policyName": "AWSLambdaBasicExecutionRole",
              "policyType": "managed"
            }
          }
        ]
      }
    },
    "roleName": "MyProject-EdgeFunctionFnServiceRoleC7B72E4-1DV3AZXP558ZS",
    "trustedEntities": [
      "lambda.amazonaws.com",
      "edgelambda.amazonaws.com"
    ]
  }

I just tried using the Test in the Lambda Panel. All the tests send logs to the CloudWatch. However when I send request to the CloudFront, it didn't send anything.

UPDATE 2

I just found out from StackOverflows that the log is being stored not centrally but distributed to regions. Something like below

/aws/lambda/us-east-1.MyProject-EdgeFunctionFn44308ADF-loJeFwXXzTOm

So instead of opening it from Lambda panel, I need to open it in the CloudFront panel. Somewhat I couldn't find it in any AWS documentations.

References

https://aws.amazon.com/id/blogs/networking-and-content-delivery/aggregating-lambdaedge-logs/

https://stackoverflow.com/questions/66949758/serverless-aws-lambdaedge-how-to-debug#:~:text=Go%20to%20CloudWatch%20and%20search,%2D%3E%20Lambda%40Edge%20Errors%20.

2 Answers
0
Accepted Answer

Oh I think I see now, this is an issue I've faced before with lambda@edge logs too. The logs print to cloudwatch log groups in whatever region was used to accent the content. Since the lambda@edge replicates in all of the used Edge locations, while you're dealing with 1 lambda function you're actually dealing with up to a few dozen lambda@edge functions. So look in Cloudwatch Log Groups for edge lambda log groups in all regions close to where you are located.

To find that in the CloudFront panel go to Telemetry->Monitoring, Choose the Lambda@Edge tab, select the appropriate lambda version, then in the top right corner there will be a dropdown called View Function Logs - there you can see all the regions where logs are available.

answered a month ago
0

Make sure the role's trust policy for the lambda@edge lists two principles: lambda.amazonaws.com and edgelambda.amazonaws.com. If it only has the first one you'll need to add a custom role to the edge function in the cdk:

new Role(this, 'Lambda-Edge-Role', {
      assumedBy: new CompositePrincipal(
          new ServicePrincipal('lambda.amazonaws.com'),
          new ServicePrincipal('edgelambda.amazonaws.com'),
      ),
       managedPolicies: [
           ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole')
      ]
}

I believe the EdgeFunction construct is supposed to do that automatically but since it's experimental it's worth it to make sure.

answered a month ago
  • I just posted the Role document. It seems that it is correct because I just tried using the Test in the Lambda Panel, and all the tests send logs to the CloudWatch. However when I send request to the CloudFront, it didn't send anything. Seems like I am missing something.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions