aws lambda permissions

so i’m writing a webhook for IFTTT using aws lambda. spent an embarassing amount of time looking for the problem with my cloudformation and lambda deployment. this is what i had in cloudformation:

PocketLogRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        -
          Effect: "Allow"
          Principal:
            Service:
              - lambda.amazonaws.com
          Action:
            - "sts:AssumeRole"
    Path: /
PocketLogLogsPolicy:
  Type: AWS::IAM::Policy
  Properties:
    Roles:
      - !Ref PocketLogRole
    PolicyName: pocketlog-cloudwatch
    PolicyDocument:
      Version: 2012-10-17
      Statement:
        -
          Effect: Allow
          Action:
            - logs:*
          Resource:
            - arn:aws:logs:*:*:*

the function would execute fine, return the expected value, but my logs wouldn’t show up in cloudwatch. the derp: i never wrote anything to stdout. used the python logging module throughout. didn’t assign a streamhandler to it though. my function was whispering into the ether.