Hi!

I'm stuck trying to forward logs to a Lambda on another AWS account, though I'm not entirely sure that it is even possible.

An error occurred: LogForwardingLambdaPermission - User: arn:aws:iam::DeployingAccountId:user/deployUser is not authorized to perform: lambda:AddPermission on resource: arn:aws:lambda:eu-west-1:LoggerAccountId:function:logger-stg-cloudwatchListener.

I tried tweaking IAM permissions, though I am really shooting in the dark when attempting cross account permissions.

In the AWS Console, no hints are given that Lambda's can be subscribed cross accounts. And according to the docs only Kinesis streams are possible (though the Console permits also elastic search cross accounts).

Kinesis streams are currently the only resource supported as a destination for cross-account subscriptions.

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CrossAccountSubscriptions.html

PS thanks for this plugin, we use it exclusively to forward logs to a little function that pushes it to our Splunk server.

I haven't tried this. It might not be possible. Could you deploy the function to each account separately?

That is how we will be progressing. Managing a single code base with multiple aws accounts is a little tricky.