我有一个 API 网关,我正在尝试将其部署到开发人员,但我不断收到有关 CloudWatch 日志记录的错误。我找不到如何正确设置部署权限。希望有人有一些可以提供帮助的知识,因为文档非常模糊并且没有真正的帮助。我希望附加模板或 cli 中的正确权限和策略。
这是我遇到的错误:
Resource handler returned message: "CloudWatch
Logs role ARN must be set in account settings to
enable logging (Service: ApiGateway, Status
Code: 400, Request ID:
ac7ee97a-255b-4be9-8352-66b762f87c5d)"
(RequestToken:
88b15f37-2b1c-cfa2-43d7-5ca7b8572b63,
HandlerErrorCode: InvalidRequest)
这是我的 template.yaml 文件:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
gofiber-sam-v1
Sample SAM Template for gofiber-sam-v1
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 60
Parameters:
DeploymentStage:
Type: String
Default: dev
AllowedValues:
- dev
- v1
Description: Deployment Stage
Resources:
CloudWatchLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: /aws/lambda/GoFiberApp
RetentionInDays: 30
GoFiberAppRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
GoFiberAppPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: GoFiberAppPolicy
Roles:
- !Ref GoFiberAppRole
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
Resource: "*"
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:log-group:/aws/lambda/GoFiberApp:*
GoFiberApp:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Metadata:
Name: "GoFiber Sam API Handler"
Properties:
CodeUri: ./
Handler: main
Runtime: go1.x
Role: !GetAtt GoFiberAppRole.Arn
Architectures:
- x86_64
Events:
ProxyEvent:
Type: Api
Properties:
Path: /{proxy+}
Method: ANY
RestApiId: !Ref ApiGatewayRestApi
ApiGatewayRestApi:
Type: AWS::Serverless::Api # More info about API Resource:
Metadata:
Name: "AdPrompt API (is2p5yk9v3)"
Properties:
StageName: dev
Auth:
ApiKeyRequired: true
MethodSettings:
- HttpMethod: "*"
LoggingLevel: INFO
ResourcePath: "/*"
AccessLogSetting:
DestinationArn: !GetAtt CloudWatchLogGroup.Arn
Format: '{"requestId":"$context.requestId","ip":"$context.identity.sourceIp","requestTime":"$context.requestTime","httpMethod":"$context.httpMethod","routeKey":"$context.routeKey","status":"$context.status","responseLength":"$context.responseLength"}'
ApiGatewayRestApiRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- apigateway.amazonaws.com
Action: sts:AssumeRole
ApiGatewayDeployment:
Type: AWS::ApiGateway::Deployment
Properties:
RestApiId: !Ref ApiGatewayRestApi
DevStage:
Type: AWS::ApiGateway::Stage
Condition: IsDev
Properties:
StageName: dev
Description: Dev Stage
RestApiId: !Ref ApiGatewayRestApi
DeploymentId: !Ref ApiGatewayDeployment
V1Stage:
Type: AWS::ApiGateway::Stage
Condition: IsV1
Properties:
StageName: v1
Description: Prod Stage
RestApiId: !Ref ApiGatewayRestApi
DeploymentId: !Ref ApiGatewayDeployment
Conditions:
IsDev: !Equals [!Ref DeploymentStage, 'dev']
IsV1: !Equals [!Ref DeploymentStage, 'v1']
Outputs:
GoFiberAPI:
Description: "API Gateway endpoint URL AdPrompt API"
Value: !Sub "https://${ApiGatewayRestApi}.execute-api.${AWS::Region}.amazonaws.com/${DeploymentStage}" # Construct the API endpoint URL using the RestApiId and StageName
Export:
Name: "GoFiberAPI"
ApiGatewayRestApi:
Description: "RESTful API"
Value: !Ref ApiGatewayRestApi # Use the intrinsic function Ref to reference the RestApiId
ApiGatewayRestApiIamRole:
Description: "IAM role for GoFiber API Gateway"
Value: !GetAtt ApiGatewayRestApiRole.Arn
您可以按如下方式修改您的
AssumeRolePolicyDocument
(已添加apigateway.amazonaws.com
):
GoFiberAppRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
- apigateway.amazonaws.com
Action: sts:AssumeRole