By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

When adding lambda insights, AWS basic execution role is not added

0

I am using the CDK to create our lambda functions and allowing it to create the role. If I don't include the "insightsVersion", the CDK will automatically add the AWSLambdaBasicExecutionRole. However if I include lambda insights, only CloudWatchLambdaInsightsExecutionRolePolicy is added and therefore my function is not able to log to cloudwatch logs. Is this expected behavior? In the example below do I need to myfn.role?.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'));?

const myfn = new nodeLambda.NodejsFunction(this, "MyLambda",
      {
        functionName: "mylambda",
        runtime: lambda.Runtime.NODEJS_22_X,
        architecture: lambda.Architecture.ARM_64,
        insightsVersion: lambda.LambdaInsightsVersion.VERSION_1_0_333_0,
      }
Topics
ServerlessComputeManagement & GovernanceNetworking & Content DeliveryAWS Cloud Development Kit (CDK)
Tags
AWS LambdaAmazon CloudWatchAWS Cloud Development Kit (CDK)
Language
English
CarlosR
asked 21 days ago93 views
2 Answers
1
Accepted Answer

Yes, what you’re seeing is expected behavior in the AWS CDK.

When you set the insightsVersion property, the CDK doesn’t automatically attach the AWSLambdaBasicExecutionRole managed policy (which includes permissions like logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents). Instead, it attaches only the CloudWatchLambdaInsightsExecutionRolePolicy, which is specific to Lambda Insights.

So yes, you will need to explicitly add the AWSLambdaBasicExecutionRole managed policy if you want your Lambda to write logs to CloudWatch when using insightsVersion.

Solution: Add this after your function definition:

myfn.role?.addManagedPolicy(
  iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole')
);

This addition ensures that your Lambda function has both the insights-related permissions and the basic execution role permissions, allowing it to write logs to CloudWatch Logs.

AWS
SUPPORT ENGINEER
AWS-User-7105599
answered 20 days ago
profile pictureAWS
EXPERT
Jordan Sandri
reviewed 20 days ago
1

The behavior you're experiencing is not the expected default behavior when adding Lambda Insights to a function. Typically, when you enable Lambda Insights, it should not remove or replace the basic execution role permissions that allow your function to log to CloudWatch.

When you create a Lambda function using CDK, it should automatically create an execution role with the necessary permissions, including the ability to write logs to CloudWatch. This is usually done by attaching the AWSLambdaBasicExecutionRole managed policy.

Adding Lambda Insights should supplement these permissions, not replace them. The CloudWatchLambdaInsightsExecutionRolePolicy is meant to provide additional permissions specifically for Lambda Insights functionality.

However, if you're finding that only the CloudWatchLambdaInsightsExecutionRolePolicy is being added when you include the insightsVersion, and your function is unable to log to CloudWatch, you may need to manually add the basic execution role.

In this case, yes, you would need to add the AWSLambdaBasicExecutionRole manually to ensure your function has the necessary permissions to write logs. You can do this by adding the following line after your function definition:

myfn.role?.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'));

This will ensure that your function has both the basic execution permissions and the Lambda Insights permissions.

If this issue persists, you may want to check your CDK version and consider updating it, as this could be a bug in an older version. Additionally, you might want to review your overall IAM and Lambda configurations to ensure there are no conflicting settings preventing the automatic addition of the basic execution role.
Sources
Community | Request-Response with Amazon API Gateway and AWS Lambda
Defining Lambda function permissions with an execution role - AWS Lambda
Monitor function performance with Amazon CloudWatch Lambda Insights - AWS Lambda

profile picture
re:Post Agent
answered 21 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 20 days ago
  • CarlosR
    21 days ago

    Should I file a bug if this is not the expected behavior? Where shall I do that?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content