您好我需要为API网关启用cloudwatch日志。我们使用cloudformation来描述基础设施。如documentation所述,我需要在我的案例中创造角色,我创造了这样的角色:
ApiGatewayCloudWatchLogsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
-
Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "apigateway.amazonaws.com"
Version: '2012-10-17'
Path: /
Policies:
-
PolicyName: 'ApiGatewayLogsPolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "logs:*"
Resource:
- "arn:aws:logs:::*"
然后我需要将此角色附加到api网关帐户:
ApiGatewayAccount:
Type: AWS::ApiGateway::Account
Properties:
CloudWatchRoleArn: !GetAtt ApiGatewayCloudWatchLogsRole.Arn
因此我在堆栈创建过程中收到了这样的错误:
The role ARN does not have required permissions set to API Gateway
我在互联网上搜索,在所有主题中,人们建议使用apigateway.amazonaws.com主体添加可信政策。但是我已经指定了并且仍然收到此错误消息。
答案 0 :(得分:1)
最后,我通过使用AWS的托管策略之一使它正常工作。
HasApiTokens