I follow this guide to set up a Lambda feature to subscribe to log events. In step 5, you must give "CloudWatch Logs permission to run your role" as follows:
aws lambda add-permission
--function-name "helloworld"
--statement-id "helloworld"
--principal "logs.region.amazonaws.com"
--action "lambda:InvokeFunction"
--source-arn "arn:aws:logs:region:123456789123:log-group:TestLambda:*"
--source-account "123456789012"
That works fine.
Well, according to the documents of --source-arn
Argument too aws lambda add-permission
it is optional. However, if I do not provide it, the subscription will not appear as registered when the lambda feature configuration page is invoked on the AWS website (see first screenshot below). The subscription is actually registered and can trigger the lambda. I can confirm if I delete the permission and add it again with one --source-arn
The subscription is shown as registered (second screenshot).
I think it's a small thing, but why should? --source-arn
bad too add-permission
has anything to do with why / why the subscription does not appear in the UI? Especially if you deliver or not --source-arn
The permission is still sufficient for the Lambda version.
(Note: After I've come a long way in writing this Q, it just seems to be a mistake, but I'll stop so I can refer to it in a big report until there's an answer.)