thien k phan

Insufficient permissions to enable logging (Service: AmazonApiGatewayV2; Status Code: 400; Error Code: BadRequestException;…)

While I was working on the serverless monorepo CI/CD deployment. This error appears when you are trying to deploy serverless application on AWS. Although, it should throw some specific missing iam permission.
 
🚫
Insufficient permissions to enable logging (Service: AmazonApiGatewayV2; Status Code: 400; Error Code: BadRequestException; Request ID: xxxxx; Proxy: null)
notion image
🔎 Root cause: You’re probably missing the following IAM permissions actions:
  • logs:CreateLogDelivery
  • logs:PutResourcePolicy
  • logs:DescribeResourcePolicies
  • logs:DescribeLogGroups
If any of these types of logs is already being sent to a log group in CloudWatch Logs, then to set up the sending of another one of these types of logs to that same log group, you only need the logs:CreateLogDelivery permission.
📘 Reference:
Enabling logging from AWS services - Amazon CloudWatch Logs
Lists the AWS services that send logs to CloudWatch Logs, Amazon S3, and Kinesis Data Firehose, and explains the permissions necessary for some of these services to send their logs.
Enabling logging from AWS services - Amazon CloudWatch Logs
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-vended-logs-permissions
 
💡 Solution: Attach the permissions above inline or create a new policy including the following permisions: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryWrite",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents",
				"logs:CreateLogDelivery"
				"logs:PutResourcePolicy",
				"logs:DescribeResourcePolicies"
				"logs:DescribeLogGroups"
      ],
      "Resource": [
        "*" // you can refine the resource with granular permissions
      ]
    }
  ]
}