8

I am trying to setup a really basic API with the AWS API Gateway product and it seems I can not find any policies which will suffice for it to log and for that matter even leave the first page of the settings screen. I am stuck here:

URL: https://eu-west-1.console.aws.amazon.com/apigateway/home?region=eu-west-1#/settings

and my desperations has led to the following permissions being granted to the role:

enter image description here

I've also added the following bespoke policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:*"
    }
  ]
}

All to no avail. Whenever I press the save button I get the following:

enter image description here

Any help would be greatly appreciated.

ken
  • 8,763
  • 11
  • 72
  • 133

1 Answers1

10

This is actually an error with API Gateway not being able to assume that specific role. This is probably due to your role's Trust Relationship policy not allowing the API Gateway Service to assume the role.

If you add the following Trust Relationship policy, it should work:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Paddez
  • 888
  • 8
  • 14
  • perfect. you're my hero. – ken Nov 03 '15 at 23:51
  • I have attached this policy and now get this error "An error occurred: Policy document should not specify a principal." – rkaltreider Jun 03 '16 at 13:24
  • Hi rkaltreider - this is a Trust Relationship policy - rather than a typical IAM policy attached to a User/Group: For example - http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharing-logs-third-party.html – Paddez Jun 05 '16 at 07:28
  • Oops I already had "trust relationship" with the role BUT with principal service `"event.amazonaws.com"` not `apigateway.amazonaws.com`. So changing service to `apigateway.amazonaws.com` works – prayagupa Nov 18 '18 at 20:27