@ywang9009gmail The solution is mentioned a few comments above:

So the solution is to have both configured provider.cfnRole and provider.logs.restApi.role that should ensure there’s not attempt to create a new role by the framework.

The effect is that serverless will then use the cfnRole to run that custom resource lambda that checks and assigns to API Gateway the CloudWatch role you specified by restApi.role. If you already specify a cfnRole for limited-access deployments, that role must have a number of permissions assigned which were mentioned across various other issues. This is what policies I had to add to get it working (statements below extracted from role definition of MyCfnRole, I specified only stuff I had to add to be able to deploy once I enabled the logs):

Resources:
  MyCfnRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: MyCfnRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
[...]
      Policies:
        - PolicyName: CloudWatch
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - iam:PassRole
                Resource:
                  - !Sub arn:#{AWS::Partition}:iam::#{AWS::AccountId}:role/MyCfnRole
                  - !Sub arn:#{AWS::Partition}:iam::#{AWS::AccountId}:role/MyApiLogRole
              - Effect: Allow
                Action:
                  - apigateway:GET
                  - apigateway:PATCH
                Resource:
                  - arn:#{AWS::Partition}:apigateway:*::/account
[...]

      ManagedPolicyArns:
        # Required for deploying custom resources (which serverless uses to activate API Gateway logs)
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

With this above config, I can confirm it works using the latest serverless v1.63, so I mentioned here in case somebody else hits it.

@medikoo @pmuens I played with this and I have to say I do not like the custom resource solution. At a minimum, it needs a dedicated documentation page to explain the effects of each setting, I had to wade through multiple github issues to figure out how it works and basically wasted a day. Admittedly, part of it discovering the missing permissions, given that CloudFormation is not always helpful. I have also ran into #6643, which in my case was likely due to lack of permissions, but the error was hidden away by the 10-retry logic in the custom resource which possibly got me the “too many requests errors”.

I understand that the CloudWatch log ARN is a global setting and you can’t add/remove it at will. What I would like to see then is for serverless not to try to set it at all. I am perfectly fine setting up a role at account level and assign it to API Gateway directly through CloudFormation resources (I do this in a separate “account setup” deployment). And I do not want the API deployment to create a custom resource just to double-check my ARN there, it looks like too much hassle to me and it forces me to grant additional permissions which are better left to the “account setup” part.

One simple way is to add an extra boolean setting to control this behavior. When false, assume it’s been assigned externally and do not create the custom resource (but: more settings = more confusion).

Another way is to just make this the default behavior and assume that when a role is given, it’s been also configured in API Gateway, so no need to use the custom resource at all. Document this (see above) and it’ll be fine. Figuring out all those permissions certainly takes more time than setting up the role via resources section.

@medikoo

• I just need serverless to enable logs while creating/Adding resources to API gateway and I have provided the role in restApi.role.
• I do not want serverless to create any custom lambda resources just to enable logs in API gateway.I just want API gateway logs to flow to cloudwatch.

Can you help me understand why serverless is trying to create custom resources in the first place ?