Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[apigatewayv2] Allow configuring access logging

See original GitHub issue

Currently there’s no way on the HttpApi or HttpStage construct to enable access logging as specified via https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigatewayv2-stage-accesslogsettings.html.

This is pretty easy to setup via sam but there’s no equivalent atm for cdk.

Use Case

Enable access logs for HttpApi

Proposed Solution

  • Implement AccessLogSettings on HttpStage
  • Add logging prop to HttpApi which enables logging for all routes

I also think when the above is added to HttpApi that it should create its own log group and the permissions necessary for the HttpApi to write to it.

Other

  • 👋 I may be able to implement this feature request

This is a 🚀 Feature Request

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:66
  • Comments:18 (1 by maintainers)

github_iconTop GitHub Comments

16reactions
lifeofzerocommented, Aug 24, 2021

@jumpinjan this is how I got it to work, if that’s helpful.

    // Setup the access log for APIGWv2
    const accessLogs = new logs.LogGroup(this, 'APIGW-AccessLogs')
    const stage = httpApi.defaultStage?.node.defaultChild as apigateway.CfnStage
    stage.accessLogSettings = {
      destinationArn: accessLogs.logGroupArn,
      format: JSON.stringify({
        requestId: '$context.requestId',
        userAgent: '$context.identity.userAgent',
        sourceIp: '$context.identity.sourceIp',
        requestTime: '$context.requestTime',
        requestTimeEpoch: '$context.requestTimeEpoch',
        httpMethod: '$context.httpMethod',
        path: '$context.path',
        status: '$context.status',
        protocol: '$context.protocol',
        responseLength: '$context.responseLength',
        domainName: '$context.domainName'
      })
    }

    const role = new iam.Role(this, 'ApiGWLogWriterRole', {
      assumedBy: new iam.ServicePrincipal('apigateway.amazonaws.com')
    })

    const policy = new iam.PolicyStatement({
      actions: [
        'logs:CreateLogGroup',
        'logs:CreateLogStream',
        'logs:DescribeLogGroups',
        'logs:DescribeLogStreams',
        'logs:PutLogEvents',
        'logs:GetLogEvents',
        'logs:FilterLogEvents'
      ],
      resources: ['*']
    })

    role.addToPolicy(policy)
    accessLogs.grantWrite(role)
12reactions
PeterAronZentaicommented, Feb 19, 2021

@ltearno it does indeed work!

    const log = new awslog.LogGroup(this, 'log')
    const stage = backendB.defaultStage?.node.defaultChild as  apigwv2.CfnStage;
    stage.accessLogSettings = {
        destinationArn: log.logGroupArn,
        format: `$context.identity.sourceIp - - [$context.requestTime] "$context.httpMethod $context.routeKey $context.protocol" $context.status $context.responseLength $context.requestId`,
    }

Much thanks!

Also you unlocked L1 hacking for me - megathanks for that.

Read more comments on GitHub >

github_iconTop Results From Across the Web

AWS::ApiGatewayV2::Stage AccessLogSettings
Settings for logging access in a stage. ... AWS::ApiGatewayV2::Stage AccessLogSettings ... This parameter is required to enable access logging.
Read more >
The Missing Guide to AWS API Gateway Access Logs
Basic access log configuration (Or: How do I get started?) ... To allow your API Gateway to write to a CloudWatch Logs log...
Read more >
Configuring logging for an HTTP API - Amazon API Gateway
Ensure that your IAM user has the required permissions to enable logging. Create a CloudWatch Logs log group. Provide the ARN of the...
Read more >
Ensure API Gateway V2 has Access Logging enabled
On the Logs/Tracing tab, under CloudWatch Settings, do the following to enable execution logging. Select the Enable CloudWatch Logs check box. For Log...
Read more >
enable-access-logging - Aqua Security
API Gateway stages should have access log settings block configured to track ... Type: AWS::ApiGatewayV2::Api BadApiStage: Type: AWS::ApiGatewayV2::Stage ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[Route53] HostedZone.hostedZoneNameServers property does not synthesize correctly

Next page

[aws-codebuild] Add support to grant SSM permissions to project