Jekson
Jekson

Reputation: 3272

Configuring logging of AWS API Gateway

I created a lambda function to upload files to s3. When testing via the AWS interface, everything works. Next I created the API Gateway and tried to make a request through ReactJs. But I get an error. I want to see what error occurs but I cannot add logs to the API Gateway. What I do.

  1. Create API Gateway -> go to Stages-> Logs/Tracing
  2. Try to activate checkbox Enable CloudWatch Logs but got CloudWatch Logs role ARN must be set in account settings to enable logging

  3. Create role in IAM with next policy: AmazonS3FullAccess, AmazonAPIGatewayPushToCloudWatchLogs, AWSLambdaBasicExecutionRole

  4. Copy the Role ARN

  5. go to the setting of my api and try to paste to CloudWatch log role ARN. But got The role ARN does not have required permissions set to API Gateway.

Can you tell me what other settings I need?

Upvotes: 27

Views: 38004

Answers (3)

Jonas Braga
Jonas Braga

Reputation: 635

If you are using CDK, just set the cloudWatchRole flag in the RestApi constructor. By doing that, CDK will assign the required policies for logging into Cloud Watch.

        // Define the API Gateway
        const api = new RestApi(this, 'Api', {
            restApiName: 'api-dev',
            cloudWatchRole: true,
            deployOptions: {
                stageName: stage,
                loggingLevel: MethodLoggingLevel.INFO,
            },
            domainName: {
                certificate: certicateEu,
                domainName: recordName,
                endpointType: EndpointType.REGIONAL,
            },
        })

Upvotes: 3

LeonardoX
LeonardoX

Reputation: 1313

Using a SAM template

You can automate all your deployment process using Serverless Application Model (SAM) or Serverless Framework. The following SAM template defines the Api Gateway and required configuration to enable CloudWatch Logs:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  ApiGatewayApi:
    Type: AWS::Serverless::Api
    DependsOn: ApiCWLRoleArn
    Properties:
      StageName: prod
      MethodSettings:
        - LoggingLevel: INFO
          MetricsEnabled: True
          ResourcePath: '/*' # allows for logging on any resource
          HttpMethod: '*' # allows for logging on any method
      Auth:
        ApiKeyRequired: true # sets for all methods

  ApiCWLRoleArn:
    Type: AWS::ApiGateway::Account
    Properties: 
      CloudWatchRoleArn: !GetAtt CloudWatchRole.Arn

# IAM Role for API Gateway + CloudWatch Logging
  CloudWatchRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service: apigateway.amazonaws.com
        Path: /
        ManagedPolicyArns:
          - 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'

Upvotes: 6

m3n7alsnak3
m3n7alsnak3

Reputation: 3166

According to this documentation (https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudwatch-logs/) after creating the Role, you need to add it to the Global AWS Api Gateway Settings (when you open the Console, there is a settings menu in the left pane) as the CloudWatch log role ARN.

Then it will use that role for all the gateways you create, so this is a one-time step.

Upvotes: 44

Related Questions