Skip to main content
All CollectionsKnowledge BaseEnterprise WorkloadsTroubleshooting - Enterprise Workloads
Unable to delete the automatic Lambda Logs created in CloudWatch in AWS
Unable to delete the automatic Lambda Logs created in CloudWatch in AWS

Unable to delete the automatic Lambda Logs created in CloudWatch in AWS

Updated over a month ago

Problem description

Every time we run a DR Restore in DRaaS, lambda logs are automatically generated in the CloudWatch in AWS. However, because of permission problems, these logs are not removed, which causes them to accumulate in the CloudWatch.

Cause

The DR Restore logs should ideally be removed at the end, but they are not since the Druva IAM Role does not have the necessary permissions.

Traceback

[2024-11-13 12:14:53,284] [INFO] [140624651650880] Deleting lambda log events for group_name = /aws/lambda/DruvaDRRestoreLambda-88280
[2024-11-13 12:14:53,293] [ERROR] [140624651650880] LambdaClient : Failed to delete log group_name /aws/lambda/DruvaDRRestoreLambda-88280 : error = An error occurred (AccessDeniedException) when calling the DeleteLogGroup operation: User: arn:aws:sts::428382374208:assumed-role/DruvaIAMRolePL/i-0edc1390165058050 is not authorized to perform: logs:DeleteLogGroup on resource: arn:aws:logs:us-east-1:428382374208:log-group:/aws/lambda/DruvaDRRestoreLambda-88280:log-stream: because no identity-based policy allows the logs:DeleteLogGroup action
[2024-11-13 12:14:53,293] [ERROR] [140624651650880] Error <class 'botocore.exceptions.ClientError'>:An error occurred (AccessDeniedException) when calling the DeleteLogGroup operation: User: arn:aws:sts::428382374208:assumed-role/DruvaIAMRolePL/i-0edc1390165058050 is not authorized to perform: logs:DeleteLogGroup on resource: arn:aws:logs:us-east-1:428382374208:log-group:/aws/lambda/DruvaDRRestoreLambda-88280:log-stream: because no identity-based policy allows the logs:DeleteLogGroup action. Traceback -Traceback (most recent call last):
File "/code/src/phoenix_client_lib/boto3/logsclient.py", line 92, in delete_log_group
File "/usr/local/pyenv/versions/3.9.1/lib/python3.9/site-packages/botocore/client.py", line 535, in _api_call
File "/usr/local/pyenv/versions/3.9.1/lib/python3.9/site-packages/botocore/client.py", line 980, in _make_api_call

Resolution

  • Verify that the DR Proxy is running the most recent version to fix the problem.

  • First, see if DruvaIAMRole has the DeleteLogGroup permission or not.

  • Please add the permission to the DruvaIAM Role on AWS if it isn't there, and then try the DR Restores.

  • To prevent misunderstanding, make sure that any previous lambda logs are deleted before testing this.

See also

Did this answer your question?