0

I am using AWS API Gateway that triggers a Lambda function (integration request type is LAMBDA_PROXY).

I am trying to add logs for the gateway's activities via Cloud Watch.

After following this documentation, it is still not working.

The log role have the AmazonAPIGatewayPushToCloudWatchLogs permission and is set in the settings tab under CloudWatch log role ARN.

The stage have the following configurations under Logs/Tracing:

enter image description here

The logs group have the following configurations:

enter image description here

I am testing via postman and the Lambda is being triggered normally.

Improve this question
4
  • Are you seeing any failed requests to CloudWatch in CloudTrail? Commented Aug 8, 2022 at 9:22
  • @TomNijs what should I be looking for exactly? Commented Aug 8, 2022 at 9:58
  • Did you re-deploy the API after setting up the logs? Commented Aug 8, 2022 at 13:07
  • @Caldazar yes I did Commented Aug 8, 2022 at 14:25

2 Answers 2

Reset to default
1

First thing to check, there is a global setting which is placed in Settings from your API Gateway console that you should have checked.

Check if you have input your IAM Role ARN that have the sufficient permissions into this place yet.

apigw-cwlogs-settings

Second thing to check, you should double-check that IAM role trust relationship value. Here is mine:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Third thing to check, you should re-check your Access Logs format. Try using a sample one to check if it works or not?

{ "requestId":"$context.requestId", \ "extendedRequestId":"$context.extendedRequestId", \ "ip": "$context.identity.sourceIp", \ "caller":"$context.identity.caller", \ "user":"$context.identity.user", \ "requestTime":"$context.requestTime", \ "httpMethod":"$context.httpMethod", \ "resourcePath":"$context.resourcePath", \ "status":"$context.status", \ "protocol":"$context.protocol", \ "responseLength":"$context.responseLength" \ }

References:

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thanks for the details, I tried the above and didn't work yet.
@MajedBadawi Have you re-deployed your API Gateway stage? Sometimes, I have to do this to make things affect.
Yes, I re-deployed
@MajedBadawi What is your Log Group ARN that you input above? Does it have :* in your ARN? If you copy it from AWS Console, delete the :* part and ensure only Log Group name instead.
Yes I removed it, they give you an error if you include it
0

The issue was caused by one of the logging role's permission boundaries.

Configuring the necessary boundaries for my case solved the problem.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.