I have created an API in Amazon API Gateway and would like to enable CloudWatch Logs for my API. How do I do this?

With Amazon API Gateway, you can create an API using the API Gateway console, the AWS CLI, the API Gateway control service REST API, and platform-specific or language-specific SDKs. The example in this article was created with the Amazon API Gateway console as described at Build and Test an API Gateway API from an Example. This article also describes how to enable CloudWatch Logs by using the AWS CloudWatch console.

1.    If you do not yet have an AWS account, go to Get Ready to Use Amazon API Gateway and Sign Up for AWS.

2.    Complete the steps to Create an IAM User, Group or Role in Your AWS Account.

3.    Complete the steps to Grant IAM Users Permissions to Access API Gateway Control and Execution Services as required.

4.    Open the AWS IAM console and select Roles.

5.    Select an existing role name or create a new role and select the name of the new role to display the Role Summary page. Ensure that the Permissions tab is selected on the Role Summary page and attach the AmazonAPIGatewayPushToCloudWatchLogs policy to the role. If you create a new role, choose the Amazon API Gateway role type in the role wizard, and the appropriate policy will be displayed when you are prompted to attach a policy to the role. This policy grants the role full permissions to create CloudWatch Logs, required to enable CloudWatch Logs for APIs. Make a note of the role ARN displayed at the top of the page for the role because you will need to specify this ARN as the CloudWatch log role ARN in the API Gateway console Settings page. This IAM role should have the following trust policy:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "",

            "Effect": "Allow",

            "Principal": {

                "Service": "apigateway.amazonaws.com"

            },

            "Action": "sts:AssumeRole"

        }

    ]

}

6.    After you grant an IAM user appropriate permissions for the API Gateway, sign in to the Amazon API Gateway console as that IAM user and follow the steps to Build and Test an API Gateway API from an Example if you have not yet created an API Gateway API. If you’ve already created your own, make sure you’ve deployed it to a stage.

Open the API Gateway console and follow these steps to enable CloudWatch Logs for your API Gateway APIs:

1.    From the left navigation pane, choose Settings and enter the ARN of the role that the AmazonAPIGatewayPushToCloudWatchLogs policy is attached to.

2.    Choose Save.

3.    Select your API from the list displayed at the left, and then select the Stages category for your API.

4.    In the middle pane, select your desired stage. In the right pane of the API Gateway console, under CloudWatch Settings, select the check box to Enable CloudWatch Logs. Then set desired Log Level to INFO or ERROR and choose Save Changes.

It is also possible to control logging at the individual method level, independent of the setting for the entire stage:

1.    From the middle pane of the API Gateway console, select the triangle next to the top stage of your API to expand the API hierarchy of methods and options. If you created and have expanded the example API hierarchy, select the GET method listed under the /pets/{petId} stage at the bottom of the hierarchy.

2.    In the right pane, under Settings, choose Override for this method. A new option to Enable CloudWatch Logs appears. Select the check box, and then set the desired Log Level, as before.

Even if logging is disabled at the Stage level, enabling it here logs calls to this method alone.

Make a note of the Invoke URL: listed at the top of the page. This URL should be similar to the following if you created the example API Gateway API:

https://uid.execute-api.regionidentifier.amazonaws.com/test/pets/{petId}

This URL can be used to invoke the /pets/{petId} method of the example API by opening a browser and substituting a positive integer value for {petId}; for example, /pets/555.

Open the CloudWatch console and choose Logs from the left navigation pane. If you successfully enabled CloudWatch Logs for API Gateway, you will see the entry /aws/apigateway/welcome listed in the Log Groups section of the right pane.

Note: You might need to redeploy your API after enabling CloudWatch logs from the API Gateway console before your logs are visible in the CloudWatch console.

Your API will have a Log Group titled API-Gateway-Execution-Logs_api-id/ that contains numerous log streams.

Amazon API Gateway, API, logs, CloudWatch, metrics, IAM, AmazonAPIGatewayPushToCloudWatchLogs, role, policy, settings, monitoring


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-08-25