AWS Lambda@Edge not logging

15
votes

I have viewer-request and origin-response Lambda functions deployed to a CloudFront distribution, which are firing, but not logging to CloudWatch. I have spent a considerable amount of time researching this topic, and have run through all advice from other posts including:

  • Checking all regions for logs, as I know that they CloudWatch logs will be created in the region which the labmda@edge function runs. No logs in any of them.
  • I have checked that the AWSServiceRoleForCloudFrontLogger role exists.

Interestingly when I purposefully code in an error into one of Lambda functions, I do get logs created within a group named /aws/cloudfront/LambdaEdge/<cloudfront distribution id> containing error logs, however there is no output from the console.log statements here.

For the life of me I can't work out how I can enable logging of ALL requests, both successes and failures, to CloudWatch, containing my debug statements using console.log().

The AWSServiceRoleForCloudFrontLogger contains a single policy AWSCloudFrontLogger:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:/aws/cloudfront/*"
        }
    ]
}

EDIT:

Below is the AWS role suggested by AWS support. I can confirm this worked and resolved the issue.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}```
1
amazon-web-servicesaws-lambdaamazon-cloudfrontaws-lambda-edge
Can you share your role AWSServiceRoleForCloudFrontLogger ?matesio
@matesio Sure, added above.mustdobetter
Is the policy suggested by AWS support meant to be attached to a new role which has logger.cloudfront.amazonaws.com as a trusted entity? If I understand correctly, this is a sort of an extended replacement for the default AWSServiceRoleForCloudFrontLogger role, right?mj3c
To answer my previous commend, the proposed policy needs to be set for the Lambda's execution role, then the logs start working!mj3c
Thanks a lot, they should really highlight this in their documentation wasted many hours.Suraj Jain

1 Answers

4
votes

The issue most probably is that Lambda does not have the permissions to output the logs into CloudWatch.

Can you double check the Lambda function execution role permissions?

Related Link : Can't get AWS Lambda function to log (text output) to CloudWatch

Explanation

So there are two kinds of logs here, hence you have to provide permissions to CloudWatch at two different places.

  1. Logs that you put in your Lambda function (using console.log), since these logs are to be published by the function to CloudWatch, function execution role should have the permission to CloudWatch. This is true irrespective of who triggers the Lambda function.
  2. Now comes L@E, sometimes you might end up modifying request/response in a way that is not valid as per CloudFront. In these scenarios only ClodFront has the knowledge that you messed up(your Lambda function doesn't know this) and it publishes this knowledge in form of logs to CloudWatch. Now since this is a different entity, it needs it own permissions to push the logs to CloudWatch(which you had provided via AWSServiceRoleForCloudFrontLogger).