01 Run update-stage command (OSX/Linux/UNIX) using the ID of the API and the name of the API stage that you want to reconfigure as identifiers to enable CloudWatch Logs for the selected API stage. The following command example enables CloudWatch logging (using INFO log level) for an API stage named "Development", created for an API identified by the ID "aaabbbcccd":
aws apigateway update-stage
--region us-east-1
--rest-api-id aaabbbcccd
--stage-name 'Development'
--patch-operations op=replace,path=/*/*/logging/loglevel,value=INFO op=replace,path=/*/*/logging/dataTrace,value=true
02 The command output should return the API stage metadata:
{
"stageName": "Development",
"cacheClusterSize": "0.5",
"cacheClusterEnabled": false,
"cacheClusterStatus": "NOT_AVAILABLE",
"deploymentId": "z0haur",
"lastUpdatedDate": 1509565398,
"createdDate": 1509558521,
"methodSettings": {
"*/*": {
"cacheTtlInSeconds": 300,
"loggingLevel": "INFO",
"dataTraceEnabled": true,
"metricsEnabled": false,
"unauthorizedCacheControlHeaderStrategy": "SUCCEED_WITH_RESPONSE_HEADER",
"throttlingRateLimit": 10000.0,
"cacheDataEncrypted": false,
"cachingEnabled": false,
"throttlingBurstLimit": 5000,
"requireAuthorizationForCacheControl": true
}
}
}
03 If you don't see "loggingLevel": "INFO" in "methodSettings", you will need to follow the steps 04 to 08 to create an IAM role for logging to CloudWatch. Otherwise please jump to step 08.
04 Create the necessary trust relationship (Trusted Entities) policy for the required IAM role. To create the trust relationship policy for the new role, paste the following information into a new policy document named cc-iam-role-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
05 Run iam create-role command (OSX/Linux/UNIX) to create the AWS IAM role using the trust relationship policy defined at the previous step:
aws iam create-role
--role-name cc-apigateway-cloudwatch-role
--assume-role-policy-document file://cc-iam-role-trust-policy.json
06 Run iam attach-role-policy command to attach AWS managed policy AmazonAPIGatewayPushToCloudWatchLogs to the role created at the previous step:
aws iam attach-role-policy
--role-name cc-apigateway-cloudwatch-role
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs
07 Run apigateway update-account command to attach the role created at the previous step:
aws apigateway update-account
--patch-operations op='replace',path='/cloudwatchRoleArn',value='arn:aws:iam::123456789012:role/cc-apigateway-cloudwatch-role'
08 Repeat step no. 1 and 2 to enable CloudWatch Logs for other API stages available for the specified API.
09 Repeat steps no. 1 – 3 to enable AWS CloudWatch logging for other APIs available within the current region.
10 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.