使用 AWS CDK 创建的 AWS Lambda@Edge 无法将日志发送至 CloudWatch
【以下的问题经过翻译处理】 我创建了一个简单的 Lambda@Edge 函数,如下所示。
'use strict';
exports.handler = async function(event, context, callback) {
const cf = event.Records[0].cf;
console.log('Record: ', JSON.stringify(cf, null, 2));
console.log('Context: ', JSON.stringify(context, null, 2));
console.log('Request: ', JSON.stringify(cf.request, null, 2));
callback(null, cf.request);
}
我使用 AWS CDKv2 experimental EdgeFunction 进行了部署,如下所示
const edgeFunction = new cloudfront.experimental.EdgeFunction(this, 'EdgeFunction', {
runtime: Runtime.NODEJS_14_X,
handler: 'index.handler',
code: Code.fromAsset(path.join(__dirname, '../../../../lambda/ssr2')),
});
我还将其设置为 Distribution (分配)的边缘函数
const distribution = new Distribution(this, 'Distribution', {
defaultBehavior: {
origin,
cachePolicy: CachePolicy.CACHING_DISABLED,
viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
edgeLambdas: [
{
functionVersion: edgeFunction.currentVersion,
eventType: LambdaEdgeEventType.VIEWER_REQUEST,
}
]
},
但当我尝试向 Distribution 发送请求时,日志却没有显示任何内容。
我检查了权限,该角色已经拥有权限
Allow: logs:CreateLogGroup
Allow: logs:CreateLogStream
Allow: logs:PutLogEvents
我希望将该函数日志写入 CloudWatch。我哪里做错了?
更新 1
以下是角色文件:
{
"sdkResponseMetadata": null,
"sdkHttpMetadata": null,
"partial": false,
"permissionsBoundary": null,
"policies": [
{
"arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
},
"id": "ANPAJNCQGXC425412345",
"name": "AWSLambdaBasicExecutionRole",
"type": "managed"
}
],
"resources": {
"logs": {
"service": {
"icon": "data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgNjQgNjQiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgPGcgdHJhbnNmb3JtPSJzY2FsZSguOCkiPgogICAgPGRlZnM+CiAgICAgIDxsaW5lYXJHcmFkaWVudCB4MT0iMCUiIHkxPSIxMDAlIiB4Mj0iMTAwJSIgeTI9IjAlIiBpZD0iYSI+CiAgICAgICAgPHN0b3Agc3RvcC1jb2xvcj0iI0IwMDg0RCIgb2Zmc2V0PSIwJSIvPgogICAgICAgIDxzdG9wIHN0b3AtY29sb3I9IiNGRjRGOEIiIG9mZnNldD0iMTAwJSIvPgogICAgICA8L2xpbmVhckdyYWRpZW50PgogICAgPC9kZWZzPgogICAgPGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIj4KICAgICAgPHBhdGggZD0iTTAgMGg4MHY4MEgweiIgZmlsbD0idXJsKCNhKSIvPgogICAgICA8cGF0aCBkPSJNNTUuMDYgNDYuNzc3YzAtMy45MDktMy4yMDItNy4wOS03LjEzOC03LjA5LTMuOTM1IDAtNy4xMzYgMy4xODEtNy4xMzYgNy4wOSAwIDMuOTEgMy4yIDcuMDkgNy4xMzYgNy4wOXM3LjEzNy0zLjE4IDcuMTM3LTcuMDltMi4wMSAwYzAgNS4wMTEtNC4xMDMgOS4wODctOS4xNDcgOS4wODctNS4wNDMgMC05LjE0Ny00LjA3Ni05LjE0Ny05LjA4NyAwLTUuMDEgNC4xMDQtOS4wODYgOS4xNDctOS4wODYgNS4wNDQgMCA5LjE0OCA0LjA3NiA5LjE0OCA5LjA4Nm04LjQ0IDEzLjY5N0w1OC41IDU0LjIwM2ExMy4wMzMgMTMuMDMzIDAgMDEtMS45NDcgMi4xNmw2Ljk5OCA2LjI3YTEuNDc0IDEuNDc0IDAgMDAyLjA2Ni0uMTA3IDEuNDUzIDEuNDUzIDAgMDAtLjEwOC0yLjA1Mm0tMTcuNTg4LTIuODEyYzYuMDQzIDAgMTAuOTU4LTQuODgzIDEwLjk1OC0xMC44ODVzLTQuOTE1LTEwLjg4NC0xMC45NTgtMTAuODg0Yy02LjA0MSAwLTEwLjk1NyA0Ljg4Mi0xMC45NTcgMTAuODg0IDAgNi4wMDIgNC45MTYgMTAuODg1IDEwLjk1NyAxMC44ODVtMTkuMTkgNi4yQTMuNDgzIDMuNDgzIDAgMDE2NC41MjkgNjVhMy40NzUgMy40NzUgMCAwMS0yLjMyMi0uODgzTDU0LjkzMSA1Ny42YTEyLjkzNSAxMi45MzUgMCAwMS03LjAwOSAyLjA2Yy03LjE1IDAtMTIuOTY3LTUuNzc5LTEyLjk2Ny0xMi44ODIgMC03LjEwMiA1LjgxNy0xMi44ODEgMTIuOTY3LTEyLjg4MSA3LjE1MSAwIDEyLjk2OSA1Ljc3OSAxMi45NjkgMTIuODgxIDAgMi4wMzgtLjQ5MiAzLjk2LTEuMzQ0IDUuNjc0bDcuMzA5IDYuNTRhMy40NDQgMy40NDQgMCAwMS4yNTYgNC44NzJNMjEuMjggMjkuMzkzYzAgLjUxOS4wMzIgMS4wMzYuMDk0IDEuNTM2YS45OTQuOTk0IDAgMDEtLjgyMyAxLjEwNmMtMi40NzIuNjM0LTYuNTQgMi41NTMtNi41NCA4LjMxIDAgNC4zNDggMi40MTMgNi43NDggNC40MzkgNy45OTYuNjkxLjQzMyAxLjUxLjY2NCAyLjM3My42NzNsMTIuMTIyLjAxMS0uMDAyIDEuOTk3LTEyLjEzMS0uMDFjLTEuMjQ2LS4wMTQtMi40MjgtLjM1MS0zLjQyOC0uOTc3QzE1LjM3NyA0OC43OTcgMTIgNDUuODkgMTIgNDAuMzQ1YzAtNi42ODMgNC42LTkuMTUzIDcuMy0xMC4wMjYtLjAyLS4zMDctLjAzLS42MTctLjAzLS45MjYgMC01LjQ2IDMuNzI4LTExLjEyMyA4LjY3Mi0xMy4xNzEgNS43ODItMi40MDcgMTEuOTA4LTEuMjE0IDE2LjM4NCAzLjE4OSAxLjM4OCAxLjM2NCAyLjUyOSAzLjAyIDMuNDA0IDQuOTM3YTYuNTA5IDYuNTA5IDAgMDE0LjE1NC0xLjUwMmMzLjAwMiAwIDYuMzgyIDIuMjY0IDYuOTg0IDcuMjE1IDIuODEyLjY0NCA4Ljc1MyAyLjg5NCA4Ljc1MyAxMC4zNjIgMCAyLjk4MS0uOTQxIDUuNDQ0LTIuNzk4IDcuMzE5bC0xLjQzMy0xLjQwMWMxLjQ3My0xLjQ4OCAyLjIyLTMuNDc5IDIuMjItNS45MTggMC02LjUzMi01LjUwNC04LjE1Ny03Ljg3My04LjU1MWExLjAwMiAxLjAwMiAwIDAxLS44MjMtMS4xNTdjLS4zMjktNC4wNTUtMi43NTMtNS44NzItNS4wMy01Ljg3Mi0xLjQzNyAwLTIuNzg0LjY5NS0zLjY5NyAxLjkwN2ExLjAwNiAxLjAwNiAwIDAxLTEuNzUtLjI1OGMtLjgyMy0yLjI2Ni0yLjAxLTQuMTcxLTMuNTI1LTUuNjYxLTMuODgtMy44MTYtOS4xODQtNC44NS0xNC4xOTUtMi43NjYtNC4xNyAxLjcyNy03LjQzNyA2LjcwMi03LjQzNyAxMS4zMjgiIGZpbGw9IiNGRkYiLz4KICAgIDwvZz4KICA8L2c+Cjwvc3ZnPgo=",
"name": "Amazon CloudWatch Logs"
},
"statements": [
{
"action": "logs:CreateLogGroup",
"effect": "Allow",
"resource": "*",
"service": "logs",
"source": {
"index": "0",
"policyName": "AWSLambdaBasicExecutionRole",
"policyType": "managed"
}
},
{
"action": "logs:CreateLogStream",
"effect": "Allow",
"resource": "*",
"service": "logs",
"source": {
"index": "0",
"policyName": "AWSLambdaBasicExecutionRole",
"policyType": "managed"
}
},
{
"action": "logs:PutLogEvents",
"effect": "Allow",
"resource": "*",
"service": "logs",
"source": {
"index": "0",
"policyName": "AWSLambdaBasicExecutionRole",
"policyType": "managed"
}
}
]
}
},
"roleName": "MyProject-EdgeFunctionFnServiceRoleC7B72E4-1DV3AZXP558ZS",
"trustedEntities": [
"lambda.amazonaws.com",
"edgelambda.amazonaws.com"
]
}
我刚刚尝试了使用 Lambda 面板中的测试。所有测试都将日志发送到 CloudWatch。但是,当我向 CloudFront 发送请求时,它没有发送任何内容。
更新 2 我刚从 StackOverflows 发现,日志不是集中存储的,而是分布在各个区域的。如下所示
/aws/lambda/us-east-1.MyProject-EdgeFunctionFn44308ADF-loJeFwXXzTOm
因此,我需要在 CloudFront 面板中打开它,而不是从 Lambda 面板中打开它。我在任何 AWS 文档中都没有找到相关信息。
参考
https://aws.amazon.com/id/blogs/networking-and-content-delivery/aggregating-lambdaedge-logs/
- 最新
- 投票最多
- 评论最多
【以下的回答经过翻译处理】 我以前在使用 Lambda@Edge 日志时也遇到过这个问题。日志会打印到用于接收内容的任何区域的 CloudWatch 日志组中。由于 Lambda@Edge 在所有使用的边缘位置进行复制,因此虽然您处理的是一个 Lambda 函数,但实际上您正在处理多达几十个 Lambda@Edge 函数。因此,请查看所有靠近您所在位置的区域中的 CloudWatch 日志组,查找边缘 Lambda 的日志组。
要在 CloudFront 面板中找到该选项,请访问 Telemetry->Monitoring
,选择 Lambda@Edge 选项卡,选择相应的 lambda 版本,然后在右上角会出现一个名为 View Function Logs
(查看函数日志)的下拉菜单,在那里您可以看到所有提供日志的区域。
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 7 个月前