I can't enable write access to CloudWatch logs in AWS API Gateway by providing a new IAM Role.
I checked several tutorials, checked everything. Even attached AdministratorAccess policy to my IAM Role and checked that The identity provider(s) apigateway.amazonaws.com is a Trusted entity.
But if still fails when I try to enable logs in API Gateway:
The role ARN does not have required permissions set to API Gateway
I was having this issue today as I was trying to set up a user that I had given those permissions to. Resolved it by going through the "create role" wizard and selecting the API Gateway service which created an IAM arn with the correct permissions.
Select your use case
API Gateway
Allows API Gateway to push logs to CloudWatch Logs.
For me the following AWS configuration fixed this issue.
Edited the "Trust Relationship" in the Role with the following configuration:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["apigateway.amazonaws.com","lambda.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}
]
}
Edited the policies with the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Here is a more detailed description for the policy configuration: policy description
In case you want to have the lest number of privileges for your role, this is the minimum set of permissions to add
CloudWatchRolePolicy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
ManagedPolicyName: MyAPIGatewayRolePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowWriteMetricsFromCloudWatch
Effect: Allow
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:DescribeLogGroups"
- "logs:DescribeLogStreams"
- "logs:PutLogEvents"
- "logs:GetLogEvents"
- "logs:FilterLogEvents"
Resource: "*" # This should be scoped too
iam:passRolepermission. - Ka Hou Ieong