Knowledge sharing - Enable cloud watch logs for API Gateway using Serverless


#1

Serverless team are still working to add this feature in core service directly (https://github.com/serverless/serverless/issues/4461). If you need enable cloud watch logs for API Gateway using Serverless now, please follow this document.

Get most help from this ticket How to enable cloud watch logs for API Gateway using Serverless

But I still can’t make it work, if you follow its codes. So I need to understand how it works, how to enable cloudwatch logs in API Gateway.

  1. Provide an iam role ARN that has write access to CloudWatch logs in API gateway.

Go through this documents

https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudwatch-logs/

in general, you need to do:

  • Create a new IAM role (for example, apigateway-cloudwatch-logs-role) with trust policy apigateway.amazonaws.com
  • Attach aws exist policy AmazonAPIGatewayPushToCloudWatchLogs to this role
  • Record this IAM role’s ARN
  • Add this iam role’s arn to apigatewa-> settings -> CloudWatch log role ARN*

These are manual tasks.

With this setup, all your api gateways are ready for generating access logs in Cloudwatch. This is a global setting for API Gateway, that’s the reason why it can’t be managed by serverless framework (in serverless.yml)

  1. Enable access logs

Add below lines into serverless.yml, that’s all.

plugins:
  - serverless-plugin-stage-variables

resources:
  Resources:
     ApiGatewayStage:
      Type: AWS::ApiGateway::Stage
      Properties:
        MethodSettings:
          - DataTraceEnabled: true
            HttpMethod: "*"
            LoggingLevel: INFO
            ResourcePath: "/*"
            MetricsEnabled: true

Notes: Don’t define Provider -> role with the new role you created above, because the Provider:role used in serverless.yml is for lambda function, not for api gateway. If you do that, you lost all permissions in lambda functions.

  1. Install the plugin serverless-plugin-stage-variables and run sls deploy

  2. Trigger several api gateway access, you should see the access logs in cloudwatch now.

The log group name is:

 API-Gateway-Execution-Logs_{rest-api-id}/{stage_name}

References:

http://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html


How to setup "Custom Access Logging" for api gateway using serverless
How to enable cloud watch logs for API Gateway using Serverless
#2

What is the point of serverless-plugin-stage-variables here?


#3

serverless framework does’t support stage ( api gateway stage) currently, so you need the plugin to help


#4

Using that just gives me this error:

Cannot read property 'stageVariables' of undefined

Does it just want you to put something empty if you don’t want to use it? Maybe I’m missing something from your post.


#5

Add this to serverless.yml:

custom:
stageVariables:
env: ${self:provider.stage}


#6

Hi Bill,

Thanks for your docs!

I’m getting this error when I run sls deploy:

An error occurred: apiGatewayStage - Property RestApiId cannot be empty..

I’ve configured the API Gateway CloudWatch ARN, installed serverless-plugin-stage-variables and added this to resources.Resources:

ApiGatewayStage:
  Type: AWS::ApiGateway::Stage
  Properties:
    MethodSettings:
      - DataTraceEnabled: true
        HttpMethod: "*"
        LoggingLevel: INFO
        ResourcePath: "/*"
        MetricsEnabled: true

Any clues?


#7

Solve this by adding RestApiId:

ApiGatewayStage:
  Type: AWS::ApiGateway::Stage
  Properties:
    RestApiId:
      Ref: ApiGatewayRestApi
    MethodSettings:
      - DataTraceEnabled: true
        HttpMethod: "*"
        LoggingLevel: INFO
        ResourcePath: "/*"
        MetricsEnabled: true

#8

Nice to hear your problem is fixed.

I didn’t have to set RestApiId in my serverless.yml, but good to know this.


#9

Hi Bill,

I am getting the following error .

Serverless Error ---------------------------------------

  An error occurred: ApiGatewayStage - 1 validation error detected: Value null at 'createStageInput.deploymentId' failed to satisfy constraint: Member must not be null (Service: AmazonApiGateway; Status Code: 400; Error Code: ValidationException; Request ID: 270600b3-97f0-11e8-b138-2f94522f87b3).

Wondering where I can get this deployment ID from?

My serverless code looks like this

ApiGatewayStage:
      Type: AWS::ApiGateway::Stage
      Properties:
        RestApiId:
          Ref: ApiGatewayRestApi
        StageName: ${self:provider.stage}
        MethodSettings:
          - DataTraceEnabled: true
            HttpMethod: "*"
            LoggingLevel: INFO
            ResourcePath: "/*"
            MetricsEnabled: true

#10

I am getting the same error :frowning_face:. I opened a issue on the plugins github (https://github.com/svdgraaf/serverless-plugin-stage-variables/issues/15) but I am starting to think its not necessarily related to that.

The deploymentId comes from here https://github.com/awslabs/aws-apigateway-sdk-java/blob/master/src/main/java/com/amazonaws/services/apigateway/model/CreateStageInput.java.