When I view logs for my AWS Lambda function in the Amazon CloudWatch console, I get a "Log group does not exist" error. I want to resolve the error.
Short description
If there's no log group for your Lambda function when you view your function's logs, then CloudWatch returns the following error message:
"Log group does not exist. The specific log group: <log group name> does not exist in this account or region."
Logs are generated after you run your function for the first time. If there's no log group after you invoke the function, then there's an issue with the function's AWS Identity and Access Management (IAM) permissions.
To troubleshoot a Log group does not exist error from CloudWatch, confirm the following:
- Your Lambda function's execution role has sufficient permissions to write logs to CloudWatch.
- The log group resource in the IAM policy includes the name of your function.
Note: For information on permissions-related logging issues with Lambda@Edge, see Service-linked roles for Lambda@Edge.
Resolution
In the IAM console, review and edit the IAM policy for the Lambda function's execution role. Verify that the following is correct:
- The write actions CreateLogGroup and CreateLogStream are allowed.
Note: If you don't need custom permissions for your function, then you can attach the managed policy AWSLambdaBasicExecutionRole. This managed policy allows Lambda to write logs to CloudWatch.
- The AWS Region specified in the Amazon Resource Name (ARN) is the same as your Lambda function's Region.
- The log-group resource includes the name of your Lambda function. For example, if your function is named myLambdaFunction, then the associatedlog-group is /aws/lambda/myLambdaFunction.
The following is an example policy that includes the required permissions for a Lambda role to access CloudWatch logs:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:region:accountId:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:region:accountId:log-group:/aws/lambda/functionName:*"
]
}
]
}
Note: Be sure that the Lambda service was added in the IAM role's trust policy. If it wasn't added, then add the following trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Related information
Lambda resource access permissions