I follow this guide to set up a Lambda feature to subscribe to log events. In step 5, you must give "CloudWatch Logs permission to run your role" as follows:
aws lambda add-permission --function-name "helloworld" --statement-id "helloworld" --principal "logs.region.amazonaws.com" --action "lambda:InvokeFunction" --source-arn "arn:aws:logs:region:123456789123:log-group:TestLambda:*" --source-account "123456789012"
That works fine.
Well, according to the documents of
--source-arn Argument too
aws lambda add-permission it is optional. However, if I do not provide it, the subscription will not appear as registered when the lambda feature configuration page is invoked on the AWS website (see first screenshot below). The subscription is actually registered and can trigger the lambda. I can confirm if I delete the permission and add it again with one
--source-arn The subscription is shown as registered (second screenshot).
I think it's a small thing, but why should?
--source-arn bad too
add-permission has anything to do with why / why the subscription does not appear in the UI? Especially if you deliver or not
--source-arn The permission is still sufficient for the Lambda version.
(Note: After I've come a long way in writing this Q, it just seems to be a mistake, but I'll stop so I can refer to it in a big report until there's an answer.)