Serverless で ApiGw のロギングいれようとして、`CloudWatch Logs role ARN must be set in account settings to enable logging` となったのでメモ

問題

Serverless Framework で、以下のようにロギング設定を追加して、以下エラーになった

provider:
  # 省略
  logs:
    restApi:
      accessLogging: false # Optional configuration which enables or disables access logging. Defaults to true.
      executionLogging: true # Optional configuration which enables or disables execution logging. Defaults to true.
      level: ERROR # Optional configuration which specifies the log level to use for execution logging. May be set to either INFO or ERROR.
      fullExecutionData: false # Optional configuration which specifies whether or not to log full requests/responses for execution logging. Defaults to true.

CloudWatch Logs role ARN must be set in account settings to enable logging

原因

ApiGwにCloudWatchへ書き込むPolicyが無い為

解決

下記リソースをCfnで作成してやると通る ManagedなPolicyが用意されている

Resources:
  # For ApiGw logging
  ApiCWLRoleArn:
    Type: AWS::ApiGateway::Account
    Properties:
      CloudWatchRoleArn: !GetAtt CloudWatchRole.Arn
  CloudWatchRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service: apigateway.amazonaws.com
        Path: /
        ManagedPolicyArns:
          - 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'

問題#

原因#

解決#

問題

原因

解決