Capture Lambda logs inline with --log-type Tail, decode the base64 LogResult, read the REPORT billing line, and invoke the function asynchronously — all from the CLI.
This lesson builds on the IAM role and Lambda function from Lesson 401. If devops-lambda-role still exists in your account, retrieve its ARN using the tip below and move on. Otherwise, recreate the role and attach the basic execution policy.
cat > lambda-trust.json << 'POLICY'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "lambda.amazonaws.com" },
"Action": "sts:AssumeRole"
}
]
}
POLICYROLE_ARN=$(aws iam create-role \
--role-name devops-lambda-role \
--assume-role-policy-document file://lambda-trust.json \
--query Role.Arn \
--output text)aws iam attach-role-policy \
--role-name devops-lambda-role \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleThese commands reproduce the Lesson 401 role setup: the lambda.amazonaws.com trust policy, role creation, and the AWSLambdaBasicExecutionRole managed policy that grants CloudWatch Logs write access.
ROLE_ARN is captured for the create-function call in the next step.
create-role output is captured silently into ROLE_ARN; attach-role-policy prints nothing on success.
If you see EntityAlreadyExists, the role from Lesson 401 is still present — retrieve its ARN instead: ROLE_ARN=$(aws iam get-role --role-name devops-lambda-role --query Role.Arn --output text)