Skip to content

Instantly share code, notes, and snippets.

@xriu

xriu/README.md

Created June 4, 2019 10:28
Show Gist options
  • Save xriu/2654626fc4c0dbcd463af9448e6fdc74 to your computer and use it in GitHub Desktop.
Save xriu/2654626fc4c0dbcd463af9448e6fdc74 to your computer and use it in GitHub Desktop.
Download ZIP
Give API Gateway permissions to write to CloudWatch logs
Raw
README.md

Necessary for API Gateway Logging

Give API Gateway permissions to write to CloudWatch logs

Solves the CloudFormation error that yields the message:

CloudWatch Logs role ARN must be set in account settings to enable logging (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException; Request ID: ...)

NOTE: This is a one time process. As long as you have this enabled once in a region, you can deploy other stacks without the need for each stack to create this role. As a good practice, create a separate stack altogether with just the API Gateway logging role so none of your application stacks need them.

Raw
cloud-formation.yaml
---
AWSTemplateFormatVersion: '2010-09-09'
Resources:
ApiGwAccountConfig:
Type: "AWS::ApiGateway::Account"
Properties:
CloudWatchRoleArn: !GetAtt "ApiGatewayLoggingRole.Arn"
ApiGatewayLoggingRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- "apigateway.amazonaws.com"
Action: "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment