How can I add cloudwatch permission to invoke lambda in serverless.yml?

Question

I am using serverless to deploy a lambda and I'd like to invoke this lambda from cloudwatch event. Below is my configuration. The lambda is to be invoked whenever there is a new log group is created. But I got an error on the lambda that it needs grant cloudwatch permission to invoke the lambda. How can I add that permission in serverless.yml?

  logGroupListener:
    handler: src/index.handler
    name: ${self:provider.stackName}-cloudWatch-listener
    environment:
      DEST_ARN: "arn:aws:lambda:${self:provider.region}:${self:provider.accountId}:function:${self:provider.stackName}-cloudwatch-listener"
    events:
      - cloudwatchEvent:
          event:
            source:
              - 'aws.logs'
            detail-type:
              - 'AWS API Call via CloudTrail'
            detail:
              eventSource:
                - logs.amazonaws.com
              eventName:
                - CreateLogGroup

I know I can add that by running this command:

aws lambda add-permission --function-name $AGGREGATOR_NAME \
  --statement-id $ID --action lambda:InvokeFunction \
  --principal logs.ap-southeast-2.amazonaws.com

I know how to create IAM role in serverless.yml, but I don't know how to attach the role to cloudwatch.

serverless.com/framework/docs/providers/aws/guide/iam - this documentation provides this info — error404
I know how to create the role. But I don't know how to attach it to cloudwatch. — Joey Yi Zhao

elbik elbik · Accepted Answer · 2020-09-27T12:04:14

Please try it in the following way:

provider:
  ...
  iamRoleStatements:
    - Effect: Allow
      Action:
        - lambda:InvokeFunction
        - lambda:InvokeAsync
      Resource: "arn:aws:logs:<region>:<accountId>:log-group:<Log group>:*"

How can I add cloudwatch permission to invoke lambda in serverless.yml?

1 Answers