Reputation: 8993
CloudWatch log role ARN
I am trying to setup a really basic API with the AWS API Gateway product and it seems I can not find any policies which will suffice for it to log and for that matter even leave the first page of the settings screen. I am stuck here:
URL: https://eu-west-1.console.aws.amazon.com/apigateway/home?region=eu-west-1#/settings
and my desperations has led to the following permissions being granted to the role:
I've also added the following bespoke policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}
All to no avail. Whenever I press the save button I get the following:
Any help would be greatly appreciated.
Upvotes: 8
Views: 6711
Answers (1)
Reputation: 908
This is actually an error with API Gateway not being able to assume that specific role. This is probably due to your role's Trust Relationship policy not allowing the API Gateway Service to assume the role.
If you add the following Trust Relationship policy, it should work:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Upvotes: 10
Related Questions
- Confusion on AWS Cloudwatch and Application Logs
- AWS CloudWatch and EC2 Role + Policy
- CloudWatch logs with Amazon Linux 2
- How to make CloudWatch logs agent running properly?
- CloudWatch agent doesn't recognize presence of IAM Role
- CloudWatch Logs agent can't assume role to send logs to different account
- AWS logs agent setup
- Cloudwatch permissions to running instance with no IAM role
- CloudWatch log role ARN and Policy
- AWS CloudWatchLog limit