27

I created a lambda function to upload files to s3. When testing via the AWS interface, everything works. Next I created the API Gateway and tried to make a request through ReactJs. But I get an error. I want to see what error occurs but I cannot add logs to the API Gateway. What I do.

  1. Create API Gateway -> go to Stages-> Logs/Tracing

  2. Try to activate checkbox Enable CloudWatch Logs but got CloudWatch Logs role ARN must be set in account settings to enable logging

  3. Create role in IAM with next policy: AmazonS3FullAccess, AmazonAPIGatewayPushToCloudWatchLogs, AWSLambdaBasicExecutionRole

  4. Copy the Role ARN

  5. go to the setting of my api and try to paste to CloudWatch log role ARN. But got The role ARN does not have required permissions set to API Gateway.

Can you tell me what other settings I need?

Improve this question
6
  • 1
    By saying "the settings of my API", do you mean the general API Gateway Settings, or your particular API? If it is not the general one, then this is the problem. Look at this docs - aws.amazon.com/premiumsupport/knowledge-center/… Commented Nov 26, 2019 at 18:06
  • @m3n7alsnak3 Yeah, I've already found that manual and I've done it. Thank you. Commented Nov 26, 2019 at 18:10
  • did it work, or you are still having issues? Commented Nov 26, 2019 at 18:11
  • Yeah, it works. Commented Nov 26, 2019 at 18:14
  • Oh good, want me to add it as an answer? Commented Nov 26, 2019 at 18:31

3 Answers 3

Reset to default
44

According to this documentation (https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudwatch-logs/) after creating the Role, you need to add it to the Global AWS Api Gateway Settings (when you open the Console, there is a settings menu in the left pane) as the CloudWatch log role ARN.

Then it will use that role for all the gateways you create, so this is a one-time step.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

how to configure SAM to create the role and assign to the apigateway v2?
7

Using a SAM template

You can automate all your deployment process using Serverless Application Model (SAM) or Serverless Framework. The following SAM template defines the Api Gateway and required configuration to enable CloudWatch Logs:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  ApiGatewayApi:
    Type: AWS::Serverless::Api
    DependsOn: ApiCWLRoleArn
    Properties:
      StageName: prod
      MethodSettings:
        - LoggingLevel: INFO
          MetricsEnabled: True
          ResourcePath: '/*' # allows for logging on any resource
          HttpMethod: '*' # allows for logging on any method
      Auth:
        ApiKeyRequired: true # sets for all methods

  ApiCWLRoleArn:
    Type: AWS::ApiGateway::Account
    Properties: 
      CloudWatchRoleArn: !GetAtt CloudWatchRole.Arn

# IAM Role for API Gateway + CloudWatch Logging
  CloudWatchRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service: apigateway.amazonaws.com
        Path: /
        ManagedPolicyArns:
          - 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
Improve this answer

2 Comments

how's that creating the role automatically without me having to manually create it?
@JobaDiniz, CloudFormation will do it for you :⁠-⁠) you have to install aws sam cli and execute the command sam build && sam deploy --guided in your lambda project root folder. That will trigger the deployment of your lambda function through aws CloudFormation, but you have to specify your lambda in the sam template. see sam documentation for more details.
3

If you are using CDK, just set the cloudWatchRole flag in the RestApi constructor. By doing that, CDK will assign the required policies for logging into Cloud Watch.

        // Define the API Gateway
        const api = new RestApi(this, 'Api', {
            restApiName: 'api-dev',
            cloudWatchRole: true,
            deployOptions: {
                stageName: stage,
                loggingLevel: MethodLoggingLevel.INFO,
            },
            domainName: {
                certificate: certicateEu,
                domainName: recordName,
                endpointType: EndpointType.REGIONAL,
            },
        })
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.