嗨,我需要为 API 网关启用云监视日志。我们使用云形成来描述基础设施。如文档中所述,我需要在我创建了这样的角色的情况下创建角色:
ApiGatewayCloudWatchLogsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
-
Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "apigateway.amazonaws.com"
Version: '2012-10-17'
Path: /
Policies:
-
PolicyName: 'ApiGatewayLogsPolicy'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "logs:*"
Resource:
- "arn:aws:logs:::*"
然后我需要将此角色附加到 api 网关帐户:
ApiGatewayAccount:
Type: AWS::ApiGateway::Account
Properties:
CloudWatchRoleArn: !GetAtt ApiGatewayCloudWatchLogsRole.Arn
结果我在堆栈创建过程中收到这样的错误:
The role ARN does not have required permissions set to API Gateway
我通过互联网搜索,在所有主题中,人们建议添加带有apigateway.amazonaws.com主体的受信任策略。但是我已经指定了它,但仍然收到此错误消息。
最后,我通过使用AWS的托管策略之一使其工作。
ApiGatewayCloudWatchLogsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
-
Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "apigateway.amazonaws.com"
Version: '2012-10-17'
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs