1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
2
I think it's looking for all the permissions required based on AWS managed policy AmazonAPIGatewayPushToCloudWatchLogs as listed in this documentation: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-permissions. Then, I don't think you can specify the log group, since API Gateway uses the same CloudWatch logs IAM role across the region (e.g other REST APIs in the region will use the same IAM role).
The following sample should work:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudWatchAccess1",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*:log-stream:*"
},
{
"Sid": "CloudWatchAccess2",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:<<aws_region>>:<<aws_account>>:log-group:*"
}
]
}
respondido hace 2 años
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 3 años
- OFICIAL DE AWSActualizada hace 3 años
- OFICIAL DE AWSActualizada hace 2 años
This is the first time I've consciously seen this information written down. That's super-helpful, thanks. I'll revert to using the managed policy and just ensure I've created my log-group before provisioning the APIG.