Question

我必须将保留策略添加到API Gateway Cloudwatch日志，因此我无法使用aws提供的策略来执行此操作，即arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs

因此，我使用自定义策略创建了自己的角色：

ApiGatewayCloudWatchLogsRole:
Type: 'AWS::IAM::Role'
DependsOn: APIGFunctionLogGroup
Properties:
  AssumeRolePolicyDocument:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Principal:
          Service:
            - apigateway.amazonaws.com
        Action: 'sts:AssumeRole'
  Path: / 
  Policies:
    - PolicyName: APIGatewayPushLogsPolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
            Effect: Allow
            Action:
              - 'logs:CreateLogStream'
              - 'logs:PutLogEvents'
              - 'logs:DescribeLogGroups'
              - 'logs:DescribeLogStreams'
              - 'logs:GetLogEvents'
              - 'logs:FilterLogEvents'
            Resource: '*'

然后创建保留时间为：

的LogGroup

APIGFunctionLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
  RetentionInDays: 30
  LogGroupName: !Join 
    - ''
    - - API-Gateway-Execution-Logs_
      - !Ref MyRestApi

并将上面创建的角色传递给AWS::ApiGateway::Account

ApiGatewayAccount:
Type: 'AWS::ApiGateway::Account'
DependsOn: APIGFunctionLogGroup
Properties:
  CloudWatchRoleArn: !GetAtt 
    - ApiGatewayCloudWatchLogsRole
    - Arn

但是在部署我的API网关时，出现错误消息：

我也有信任策略，但是没有创建API网关帐户。

Answer 1

如果您自己创建日志组，则在APIgateway之前，您应该能够使用现有的策略/服务角色。

将保留策略添加到发布到CloudWatch的API网关日志中

1 个答案: