How to create CloudWatch logs trigger for AWS Lambda using aws ruby SDK?

Question

I know there should be a way to create trigger for AWS Lambda using aws ruby sdk (just like it is possible to do it using AWS Management Console).

*Update, I was able to find out a way to create trigger. I'm using following code to do that:

@cloudwatchlogs = Aws::CloudWatchLogs::Client.new(region: region, credentials: Aws::Credentials.new(aws_access_key_id, aws_secret_access_key))
@cloudwatchlogs.put_subscription_filter({
   log_group_name: "RDSOSMetrics",
   filter_name: "RDS metrics filter",
   filter_pattern: "RDS metrics filter pattern",
   destination_arn: function_arn
})

I'm getting following error while trying to do that:

*** Aws::CloudWatchLogs::Errors::InvalidParameterException Exception: Could not execute the lambda function. Make sure you have given CloudWatch Logs permission to execute your function

Just for the sake of testing it out, I have role X which is attached to Lambda function and that role has AWSLambdaFullAccess policy added to it, but I'm still getting this error.

Anything else I'm missing

Thanks, Bakir

Answer 1

CloudWatch Logs permissions can be added with:

client.add_permission({
    action: "lambda:InvokeFunction",
    function_name: function_arn,
    principal: "logs." + region + ".amazonaws.com",
    source_account: account_id,
    source_arn: "arn:aws:logs:" + region + ":" + account_id + ":log-group:" + log_group_name + ":*",
    statement_id: unique_identifier,
})

Where:

• function_arn is your function identifier similar to arn:aws:lambda:eu-west-1:111111111111:function:yourFunctionName
• region is name of your service region similar to eu-west-1
• account_id is id of your account similar to 111111111111
• log_group_name is name of logs you will be streaming from similar to /aws/lambda/logGroupName
• unique_identifier some random string to be used in policy statement. E.g. ID-1

---

It should be executed in following sequence:

• Create Lambda function and Log group
• Add permissions
• Put subscription filter

---

More information:

• http://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Lambda/Client.html#add_permission-instance_method
• http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html

---

Note the asterisk symbol at the end of source_arn:

arn:aws:logs:eu-west-1:111111111111:log-group:logGroup:*
arn:aws:logs:eu-west-1:111111111111:log-group:logGroup

It is arn of log streams, not arn of log group. It took me some time to debug this one (until I found error with aws lambda get-policy)