Skip to content

Instantly share code, notes, and snippets.

@villasv
Last active Aug 10, 2022
Embed
What would you like to do?
Give API Gateway permissions to write to CloudWatch logs

Necessary for API Gateway Logging

Give API Gateway permissions to write to CloudWatch logs

Solves the CloudFormation error that yields the message:

CloudWatch Logs role ARN must be set in account settings to enable logging (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException; Request ID: ...)

NOTE: This is a one time process. As long as you have this enabled once in a region, you can deploy other stacks without the need for each stack to create this role. As a good practice, create a separate stack altogether with just the API Gateway logging role so none of your application stacks need them.

---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
ApiGwAccountConfig:
Type: "AWS::ApiGateway::Account"
Properties:
CloudWatchRoleArn: !GetAtt "ApiGatewayLoggingRole.Arn"
ApiGatewayLoggingRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- "apigateway.amazonaws.com"
Action: "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
@villasv
Copy link
Author

villasv commented Oct 31, 2018

You can manually create a CloudFormation Stack by pasting the above in the Template box in the CloudFormation Template Designer, or deploy it with the CLI. No tweaking required, it works out-of-the-box.

Example aws-cli comand (thanks @nator333)

aws cloudformation deploy \
  --stack-name gateway-logging-permission \
  --template-file cloud-formation.yaml \
  --no-fail-on-empty-changeset \
  --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND

@codelance
Copy link

codelance commented Dec 16, 2019

This was clutch.. thanks!

@stopdropandrew
Copy link

stopdropandrew commented Dec 30, 2020

This rules!

@bdd4329
Copy link

bdd4329 commented Jan 28, 2021

You are the man!

@rainabba
Copy link

rainabba commented Mar 1, 2021

Seriously, thank you. Amazing how much the docs are lacking for something as critical as logging.

@Brachacz
Copy link

Brachacz commented Apr 1, 2021

Thanks a lot!

@aldirrix
Copy link

aldirrix commented Apr 22, 2021

Thank you for uploading this!

@diegosasw
Copy link

diegosasw commented May 21, 2021

Is this valid for V2? (e.g AWS::ApiGatewayV2::Api)

@nator333
Copy link

nator333 commented Jun 5, 2021

Thank you!
Just to further help lazier person like me...

aws cloudformation deploy \
  --stack-name gateway-logging-permission \
  --template-file cloud-formation.yaml \
  --no-fail-on-empty-changeset \
  --capabilities CAPABILITY_NAMED_IAM  CAPABILITY_AUTO_EXPAND

@charlanalves
Copy link

charlanalves commented Jun 21, 2021

Thank God! Thank you, mister!

@Ronkiro
Copy link

Ronkiro commented Aug 13, 2021

You saved my life lul

@imaitland
Copy link

imaitland commented Dec 3, 2021

You RULE!

@nicornk
Copy link

nicornk commented Feb 21, 2022

MVP!

@lireking
Copy link

lireking commented Apr 1, 2022

Great

@dunika
Copy link

dunika commented Apr 15, 2022

Thanks for this!

@joshhoegen
Copy link

joshhoegen commented May 12, 2022

UPDATE For APIGatewayV2 - Access Logs only (Execution logs aren't available for http).

The AWS documentation is pretty unclear. After some days of shotgun programming, I found this. Here is a Cloudformation with API Gateway v2 that worked for me:

MyLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/apigateway/nameOfLogGroupForCloudWatch
      RetentionInDays: 7
MyStage:
    Type: AWS::ApiGatewayV2::Stage
    Properties:
      # Begin CloudWatch
      AccessLogSettings:
        DestinationArn: !GetAtt MyLogGroup.Arn # This points to the log group above
        Format: '{ "requestId": "$context.requestId", "path": "$context.path", "routeKey": "$context.routeKey", "ip": "$context.identity.sourceIp", "requestTime": "$context.requestTime", "httpMethod": "$context.httpMethod","statusCode": $context.status }'

@yakobabada
Copy link

yakobabada commented Jun 16, 2022

Thanks a lot!!

@mclounie
Copy link

mclounie commented Jun 16, 2022

🥇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment