我必须向 API Gateway Cloudwatch 日志添加保留策略,因此我无法使用 aws 提供的策略来执行此操作,即 arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs
因此,我使用自定义策略创建了自己的角色:
ApiGatewayCloudWatchLogsRole:
Type: 'AWS::IAM::Role'
DependsOn: APIGFunctionLogGroup
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- apigateway.amazonaws.com
Action: 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: APIGatewayPushLogsPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
Effect: Allow
Action:
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
- 'logs:DescribeLogGroups'
- 'logs:DescribeLogStreams'
- 'logs:GetLogEvents'
- 'logs:FilterLogEvents'
Resource: '*'
然后创建 LogGroup 并保留为:
APIGFunctionLogGroup:
Type: 'AWS::Logs::LogGroup'
Properties:
RetentionInDays: 30
LogGroupName: !Join
- ''
- - API-Gateway-Execution-Logs_
- !Ref MyRestApi
并将上面创建的角色传递给AWS::ApiGateway::Account
ApiGatewayAccount:
Type: 'AWS::ApiGateway::Account'
DependsOn: APIGFunctionLogGroup
Properties:
CloudWatchRoleArn: !GetAtt
- ApiGatewayCloudWatchLogsRole
- Arn
但是在部署 API 网关时,我收到错误:
我也有信任策略,但 API 网关帐户未创建。
最佳答案
如果您自己创建日志组,那么在 APIgateway 之前您应该能够使用现有的策略/服务角色。
关于amazon-web-services - 向发布到 CloudWatch 的 API Gateway 日志添加保留策略,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55278040/