Knowledge sharing - Enable cloud watch logs for API Gateway using Serverless

bill · 2017-12-10 08:22:23 UTC

Serverless team are still working to add this feature in core service directly (https://github.com/serverless/serverless/issues/4461). If you need enable cloud watch logs for API Gateway using Serverless now, please follow this document.

Get most help from this ticket How to enable cloud watch logs for API Gateway using Serverless

But I still can’t make it work, if you follow its codes. So I need to understand how it works, how to enable cloudwatch logs in API Gateway.

Provide an iam role ARN that has write access to CloudWatch logs in API gateway.

Go through this documents

https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudwatch-logs/

in general, you need to do:

Create a new IAM role (for example, apigateway-cloudwatch-logs-role) with trust policy apigateway.amazonaws.com
Attach aws exist policy AmazonAPIGatewayPushToCloudWatchLogs to this role
Record this IAM role’s ARN
Add this iam role’s arn to apigatewa-> settings -> CloudWatch log role ARN*

These are manual tasks.

With this setup, all your api gateways are ready for generating access logs in Cloudwatch. This is a global setting for API Gateway, that’s the reason why it can’t be managed by serverless framework (in serverless.yml)

Enable access logs

Add below lines into serverless.yml, that’s all.

plugins:
  - serverless-plugin-stage-variables

resources:
  Resources:
     ApiGatewayStage:
      Type: AWS::ApiGateway::Stage
      Properties:
        MethodSettings:
          - DataTraceEnabled: true
            HttpMethod: "*"
            LoggingLevel: INFO
            ResourcePath: "/*"
            MetricsEnabled: true

Notes: Don’t define Provider -> role with the new role you created above, because the Provider:role used in serverless.yml is for lambda function, not for api gateway. If you do that, you lost all permissions in lambda functions.

Install the plugin serverless-plugin-stage-variables and run sls deploy
Trigger several api gateway access, you should see the access logs in cloudwatch now.

The log group name is:

 API-Gateway-Execution-Logs_{rest-api-id}/{stage_name}

References:

http://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html

stevenmwade · 2018-01-22 18:32:54 UTC

What is the point of serverless-plugin-stage-variables here?

bill · 2018-01-22 20:11:09 UTC

serverless framework does’t support stage ( api gateway stage) currently, so you need the plugin to help

stevenmwade · 2018-01-23 18:36:42 UTC

Using that just gives me this error:

Cannot read property 'stageVariables' of undefined

Does it just want you to put something empty if you don’t want to use it? Maybe I’m missing something from your post.

levz0r · 2018-01-31 23:20:10 UTC

Add this to serverless.yml:

custom:
stageVariables:
env: ${self:provider.stage}

mbfisher · 2018-04-12 01:03:36 UTC

Hi Bill,

Thanks for your docs!

I’m getting this error when I run sls deploy:

An error occurred: apiGatewayStage - Property RestApiId cannot be empty..

I’ve configured the API Gateway CloudWatch ARN, installed serverless-plugin-stage-variables and added this to resources.Resources:

ApiGatewayStage:
  Type: AWS::ApiGateway::Stage
  Properties:
    MethodSettings:
      - DataTraceEnabled: true
        HttpMethod: "*"
        LoggingLevel: INFO
        ResourcePath: "/*"
        MetricsEnabled: true

Any clues?

mbfisher · 2018-04-12 02:19:53 UTC

Solve this by adding RestApiId:

ApiGatewayStage:
  Type: AWS::ApiGateway::Stage
  Properties:
    RestApiId:
      Ref: ApiGatewayRestApi
    MethodSettings:
      - DataTraceEnabled: true
        HttpMethod: "*"
        LoggingLevel: INFO
        ResourcePath: "/*"
        MetricsEnabled: true

bill · 2018-04-12 02:52:46 UTC

Nice to hear your problem is fixed.

I didn’t have to set RestApiId in my serverless.yml, but good to know this.