Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Allow AWS HTTP API logs to be permissioned via external IAM role
See original GitHub issueIs there an existing issue for this?
- I have searched existing issues, it hasn’t been reported yet
Use case description
the Rest API has provider.logs.restApi.role which allows and externally managed role to be used for logging to CloudWatch.
However, provider.logs.httpApi.role does not. This is causing a problem for me as I have a large number of HTTP API G/Ws in a single account and so CF/sls adds an additional resource entry to the policy for each API.
As a result, I’ve hit an AWS limit here, reported by this error:
`Cannot enable logging. Policy document length breaking Cloudwatch Logs Constraints, either < 1 or > 5120 (Service: AmazonApiGatewayV2; Status Code: 400; Error Code: BadRequestException; Request ID: 60e2fc0c-2971-48b0-8e41-0bf37fb016c6; Proxy: null)`
If there is a workaround for this, I’d be grateful to hear it, failing that, it would be good to add this support to httpAPI logging.
Proposed solution (optional)
No response
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:11 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @pgrzesik
It’s a good question – this doesn’t seem to be visible in IAM, Cloudwatch, or API GW AWS Console UIs. I was only able to find it via the
aws logsCLI.Here is the full output of that command (now truncated to only a few
Resourceentries since I deleted it)UPDATE: After further googling, I found this StackOverflow article which seems to shed some light.
Given this, I think you are probably correct and this is an AWS thing, rather than a Framework thing…
Thanks @bradwood - setting anything via SDK is something that we usually try to avoid unless there’s a really good reason to do so. Thanks for sharing your workaround. If we get more reports about this being a major issue, we might revisit implementing a robust solution as a part of the Framework, but for now I think we should postpone it.