Skip to content

Instantly share code, notes, and snippets.

@villasv

villasv/README.md

Last active November 20, 2023 17:35
  • Star 42 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Give API Gateway permissions to write to CloudWatch logs
Raw
README.md

Necessary for API Gateway Logging

Give API Gateway permissions to write to CloudWatch logs

Solves the CloudFormation error that yields the message:

CloudWatch Logs role ARN must be set in account settings to enable logging (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException; Request ID: ...)

NOTE: This is a one time process. As long as you have this enabled once in a region, you can deploy other stacks without the need for each stack to create this role. As a good practice, create a separate stack altogether with just the API Gateway logging role so none of your application stacks need them.

Raw
cloud-formation.yaml
---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
ApiGwAccountConfig:
Type: "AWS::ApiGateway::Account"
Properties:
CloudWatchRoleArn: !GetAtt "ApiGatewayLoggingRole.Arn"
ApiGatewayLoggingRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- "apigateway.amazonaws.com"
Action: "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
@villasv
Copy link
Author

villasv commented Oct 31, 2018
edited

You can manually create a CloudFormation Stack by pasting the above in the Template box in the CloudFormation Template Designer, or deploy it with the CLI. No tweaking required, it works out-of-the-box.

Example aws-cli comand (thanks @nator333)

aws cloudformation deploy \
  --stack-name gateway-logging-permission \
  --template-file cloud-formation.yaml \
  --no-fail-on-empty-changeset \
  --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND

@codelance
Copy link

This was clutch.. thanks!

@stopdropandrew
Copy link

This rules!

@bdd4329
Copy link

bdd4329 commented Jan 28, 2021

You are the man!

@rainabba
Copy link

rainabba commented Mar 1, 2021

Seriously, thank you. Amazing how much the docs are lacking for something as critical as logging.

@Brachacz
Copy link

Brachacz commented Apr 1, 2021

Thanks a lot!

@aldirrix
Copy link

Thank you for uploading this!

@diegosasw
Copy link

Is this valid for V2? (e.g AWS::ApiGatewayV2::Api)

@nator333
Copy link

nator333 commented Jun 5, 2021

Thank you!
Just to further help lazier person like me...

aws cloudformation deploy \
  --stack-name gateway-logging-permission \
  --template-file cloud-formation.yaml \
  --no-fail-on-empty-changeset \
  --capabilities CAPABILITY_NAMED_IAM  CAPABILITY_AUTO_EXPAND

@charlanalves
Copy link

Thank God! Thank you, mister!

@Ronkiro
Copy link

Ronkiro commented Aug 13, 2021

You saved my life lul

@imaitland
Copy link

You RULE!

@nicornk
Copy link

nicornk commented Feb 21, 2022

MVP!

@lireking
Copy link

lireking commented Apr 1, 2022

Great

@dunika
Copy link

dunika commented Apr 15, 2022

Thanks for this!

@joshhoegen
Copy link

UPDATE For APIGatewayV2 - Access Logs only (Execution logs aren't available for http).

The AWS documentation is pretty unclear. After some days of shotgun programming, I found this. Here is a Cloudformation with API Gateway v2 that worked for me:

MyLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/apigateway/nameOfLogGroupForCloudWatch
      RetentionInDays: 7
MyStage:
    Type: AWS::ApiGatewayV2::Stage
    Properties:
      # Begin CloudWatch
      AccessLogSettings:
        DestinationArn: !GetAtt MyLogGroup.Arn # This points to the log group above
        Format: '{ "requestId": "$context.requestId", "path": "$context.path", "routeKey": "$context.routeKey", "ip": "$context.identity.sourceIp", "requestTime": "$context.requestTime", "httpMethod": "$context.httpMethod","statusCode": $context.status }'

@yakobabada
Copy link

Thanks a lot!!

@mclounie
Copy link

🥇

@LeonardoX77
Copy link

Your template is not working for me, but I tried this and it works, just in case is useful for anyone

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  ApiGatewayApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      MethodSettings:
        - LoggingLevel: INFO
          MetricsEnabled: True
          ResourcePath: '/*' # allows for logging on any resource
          HttpMethod: '*' # allows for logging on any method
      Auth:
        ApiKeyRequired: true # sets for all methods

@villasv
Copy link
Author

villasv commented Jan 2, 2023
edited

@LeonardoX77 that's a very different thing. It's not equivalent to just creating the logging permission. Of course, for those using Serverless CFN resources there are other means.

@LeonardoX77
Copy link

@villasv Thanks for the clarification. The thing is I got the error CloudWatch Logs role ARN must be set in account settings to enable logging in both environments (AWS console and CloudFormation deployment) and I resolved it just by adding my previous code :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment