Denied Access to logs:CreateLogStream action as Root User



I am new to AWS and was writing a function in AWS Lambda to create a log group and log stream. When I test in AWS Lambda, the log group is successfully created, but an error occurs when trying to create a log stream for that log group. As the root user, for some reason, I am getting a Client Error: Access Denied Exception because my root user "is not authorized to perform: logs:CreateLogStream" on the log_stream resource "because no identity-based policy allows the logs:CreateLogStream action." However, when I code something similar in my local IDE with Boto3, everything works as expected.

Appreciate any help!

1 Answer
Accepted Answer


when you run an AWS Lambda function, the function assumes a AWS IAM role. This is called the function execution role. The function has only the permissions that are defined in that role, regardless of what the permissions of your IAM user or role are. Please check the IAM role of the function and make sure that the correct permissions are assigned.

You can find more information here:

profile pictureAWS
answered a year ago
profile picture
reviewed a year ago
  • Thanks a lot for your response. Seems like I rushed through the creation of the function.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions