402 — Lambda Logs and Async Invocation

Intermediate

Capture Lambda logs inline with --log-type Tail, decode the base64 LogResult, read the REPORT billing line, and invoke the function asynchronously — all from the CLI.

Learning Objectives

1
Use --log-type Tail to capture log output directly from a synchronous Lambda invocation
2
Decode the base64-encoded LogResult field returned by --log-type Tail
3
Read and interpret the REPORT log line fields including Billed Duration and Max Memory Used
4
Locate a Lambda function's CloudWatch Logs log group and list its log streams using the AWS CLI
5
Read all log events from a specific log stream using aws logs get-log-events
6
Invoke a Lambda function asynchronously using --invocation-type Event and confirm the HTTP 202 response
7
Verify async invocation completion by reading the CloudWatch Logs stream
8
Describe the cold-start mechanism and when Lambda initialization latency occurs
Step 1

Recreate the IAM execution role

This lesson builds on the IAM role and Lambda function from Lesson 401. If devops-lambda-role still exists in your account, retrieve its ARN using the tip below and move on. Otherwise, recreate the role and attach the basic execution policy.

Commands to Run

cat > lambda-trust.json << 'POLICY'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "Service": "lambda.amazonaws.com" },
      "Action": "sts:AssumeRole"
    }
  ]
}
POLICY
ROLE_ARN=$(aws iam create-role \
  --role-name devops-lambda-role \
  --assume-role-policy-document file://lambda-trust.json \
  --query Role.Arn \
  --output text)
aws iam attach-role-policy \
  --role-name devops-lambda-role \
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

What This Does

These commands reproduce the Lesson 401 role setup: the lambda.amazonaws.com trust policy, role creation, and the AWSLambdaBasicExecutionRole managed policy that grants CloudWatch Logs write access.

ROLE_ARN is captured for the create-function call in the next step.

Expected Outcome

create-role output is captured silently into ROLE_ARN; attach-role-policy prints nothing on success.

If you see EntityAlreadyExists, the role from Lesson 401 is still present — retrieve its ARN instead: ROLE_ARN=$(aws iam get-role --role-name devops-lambda-role --query Role.Arn --output text)

Pro Tips

  • 1
    Billing callout: IAM role creation is always free. Lambda has an always-free allowance of 1 million requests/month and 400,000 GB-seconds/month that never expires.
  • 2
    If the role already exists, retrieve the ARN without recreating it: ROLE_ARN=$(aws iam get-role --role-name devops-lambda-role --query Role.Arn --output text)
Was this step helpful?

All Steps (0 / 13 completed)