How to enable Cloudwatch logging for AWS API GW via Cloudformation template

Asked 29/5, 2020 at 15:22 Answered 31/3, 2023 at 20:41

amazon-web-services aws-cloudformation api-gateway aws-api-gateway

I am trying to enable cloudwatch logs for AWS API Gateway via cloudformation template but it does not enables. I have tried setting up logginglevel to INFO in both Stage description and also Method settings. Any idea on what am I missing?

When I manually enable logging through UI, it works. Not working when I try to enable through cloudformation template as below -

Note: I am just using plain cloudformation template and I have already added role ARN that has permissions to API Gateway in my account to log cloudwatch

TestDeployment:
  Type: AWS::ApiGateway::Deployment
  Properties:
    Description: API Deployment
    RestApiId: testApi
    StageName: 'dev'
    StageDescription:
      Description: Stage - DEV
      LoggingLevel: INFO
      MethodSettings:
        - ResourcePath: "/testresource"
          HttpMethod: "POST"
          LoggingLevel: INFO

Egotism answered 29/5, 2020 at 15:22 Comment(0)

UPDATE For APIGatewayV2 - Access Logs only (Execution logs aren't available for http).

The AWS documentation is pretty unclear. After some days of shotgun programming, I found this. Here is a Cloudformation with API Gateway v2 that worked for me:

MyLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/apigateway/nameOfLogGroupForCloudWatch
      RetentionInDays: 7
MyStage:
    Type: AWS::ApiGatewayV2::Stage
    Properties:
      # Begin CloudWatch
      AccessLogSettings:
        DestinationArn: !GetAtt MyLogGroup.Arn # This points to the log group above
        Format: '{ "requestId": "$context.requestId", "path": "$context.path", "routeKey": "$context.routeKey", "ip": "$context.identity.sourceIp", "requestTime": "$context.requestTime", "httpMethod": "$context.httpMethod","statusCode": $context.status }'

Giantism answered 12/5, 2022 at 15:27 Comment(0)

Please add MetricsEnabled property in StageDescription to enabled CloudWatch log at stage level. If you want to enable CloudWatch logs at the method level, add MetricsEnabled property in MethodSettigns. In the following example, I have enabled logs in both places.

TestDeployment:
  Type: AWS::ApiGateway::Deployment
  Properties:
    Description: API Deployment
    RestApiId: testApi
    StageName: 'dev'
    StageDescription:
      Description: Stage - DEV
      LoggingLevel: INFO
      MetricsEnabled: True
      MethodSettings:
        - ResourcePath: "/testresource"
          HttpMethod: "POST"
          LoggingLevel: INFO
          MetricsEnabled: True

Aston answered 31/5, 2020 at 8:27 Comment(1)

I tried it. It did not work. I contacted AWS support team and they have asked me do below which solved the issue - MethodSettings: - ResourcePath: "/*" HttpMethod: "*" LoggingLevel: INFO. – Egotism 18/6, 2020 at 16:28

Here is the CloudFormation set up that worked for me:

AWSTemplateFormatVersion: "2010-09-09"
Resources:

  # Define the log group that you want to send logs to
  ApiLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 30

  # Define a role which will allow the API to send logs to CloudWatch
  ApiLoggingRole:
    Type: AWS::IAM::Role
    Properties:
      Description: Allows the API to log errors to CloudWatch Logs
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - apigateway.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"

  # You need an API Gateway Account:
  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-account.html
  ApiGatewayAccount:
    Type: AWS::ApiGateway::Account
    Properties:
      CloudWatchRoleArn: !GetAtt ApiLoggingRole.Arn

  # Define your API
  MyApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Description: My API Description
      Name: my-api-name
  ... other API-related resources here ...

  # Add a Deployment resource. The DependsOn ApiGatewayAccount is important here.
  ApiDeployment:
    DependsOn:
      - SomePreviouslyDefinedMethodResource
      - ApiGatewayAccount
    Type: AWS::ApiGateway::Deployment
    Properties:
      RestApiId: !Ref MyApi
      Description: My API deployment
      StageName: production
      StageDescription:
        LoggingLevel: INFO
        AccessLogSetting:
          DestinationArn: !GetAtt ApiLogGroup.Arn
          Format: '{ "requestId": "$context.requestId", "path": "$context.path", "requestTime": "$context.requestTime", "httpMethod": "$context.httpMethod","statusCode": "$context.status", "errorMessage": "$context.error.message" }'

Bigener answered 31/3, 2023 at 20:41 Comment(0)

Have you already configure API Gateway RestApi to write logs into CloudWatch as describe in AWS documentation : https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html

Note that you must set permissions for CloudWatch logging.

Ashburn answered 29/5, 2020 at 16:32 Comment(1)

Yes, I did add the role that has permissions to APIGateway on account level. The question is on the deployment/stage logging. When I enable manually "Enable CloudWatch Logs" in stage, it works. But not working when I tried to enable through cloudformation template. – Egotism 29/5, 2020 at 16:50

Recommended topics

Hot tags