How to fix "Could not execute the lambda function. Make sure you have given CloudWatch Logs permission to execute your function" error in AWS

by Andrew Zakordonets

I've been banging my head around this Could not execute the lambda function. Make sure you have given CloudWatch Logs permission to execute your function error for couple hours. Was trying to update IAM role for the lambda with different combination, but no luck. After couple times reading documentation i finally managed to tackle the problem. If you use terraform then this article can help you to solve the issue.
As for the serverless framework, the only thing that helped me was adding a AWS::Lambda::Permission resource. In a separate permissions.yml file i have added this block:

LambdaCloudwatchInvokePermission:
  Type: AWS::Lambda::Permission
  DependsOn: DataDogLoggingLambdaLambdaFunction # this is the name in cloudformation for your lambda
  Properties:
    FunctionName: ${self:custom.resourcePrefix}-[lambda-name]
    Principal: "logs.${self:provider.region}.amazonaws.com"
    Action: "lambda:InvokeFunction"
    SourceAccount:
      Ref: AWS::AccountId
    SourceArn: "arn:aws:logs:${self:provider.region}:${self:custom.stage.infra.AWS_ACCOUNT}:log-group:*:*"

And then in serverless.yml i'm linking to this resource in a next way:

resources:
  Resources:
    LambdaCloudwatchInvokePermission: ${file(infra/iam/permissions.yml):LambdaCloudwatchInvokePermission}

It's quite important to remmember when to use AWS::IAM::Role and when to use AWS::Lambda::Permission:

  • AWS::IAM::Role defines which actions can do resources to which you assign this role
  • AWS::Lambda::Permission defines which actions can be done to your lambda by other resources.

Hope this article will save you hours of debugging for something more useful :)