Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I turn on CloudWatch Logs to troubleshoot my API Gateway REST API or WebSocket API?

4 minute read

I want to debug errors with an Amazon API Gateway REST API or WebSocket API that I'm creating.

Short description

To troubleshoot an API Gateway REST API or WebSocket API, use Amazon CloudWatch Logs. For information about the types of log formats, see CloudWatch log formats for API Gateway.

Note: HTTP APIs support only access logging. For more information, see Configure logging for HTTP APIs in API Gateway.

You can find the following information in the logs:

Complete the following steps:

Open the AWS Identity and Access Management (IAM) console.
In the navigation pane, choose Roles.
In the Roles pane, choose Create role.
On the Create role page, enter the following information:
For Trusted entity, choose AWS Service.
For use case, choose API Gateway, and then choose the API Gateway radio button.
Choose Next.
Under Permissions policies, use the default AmazonAPIGatewayPushToCloudWatchLogs AWS managed policy that has all the required permissions.
Choose Next.
Under Name, review and create, enter the following information:
For Role name, enter a name for the role.
(Optional) For Role description, edit the description to your preferences.
(Optional) Add tags.
Choose Create role.
In the Roles pane, choose the role that you created.
In the Summary pane, note the role's ARN to use in the next section.

For information about permissions, see Permissions for CloudWatch logging.

Complete the following steps:

Open the API Gateway console.
In the APIs pane, choose the name of the REST API or WebSocket API, not the HTTP API.
In the navigation pane, choose Settings.
Under Settings, for CloudWatch log role ARN, enter the IAM role's ARN.
Note: The CloudWatch Logs role is an AWS Region-level configuration that you use with all the APIs in the Region.
Choose Save.

Note: If you create multiple APIs across different Regions, then complete the preceding steps in each Region.

Complete the following steps:

Open the API Gateway console.
In the navigation pane, choose APIs, and then select your API.
In the navigation pane, choose Stages, and then select your stage.
Under Logs and tracing, choose Edit.
Under CloudWatch logs, select a level from the dropdown menu.
Note: For full request and response logs, select the Data tracing option with the logging level set to Error and info logs. It's a best practice not to turn on Data tracing for production APIs because data tracing can log sensitive data.
Choose Detailed metrics.
Under Custom Access Logging, complete the following steps:
Select Enable Access Logging.
For Access Log Destination ARN, enter the ARN of an Amazon Data Firehose or a CloudWatch log group.
Note: Only REST APIs support the Firehose ARN.
Enter a log format.
Choose Save Changes.

Note: To send a new request to your API, use your client application or tools, such as the Postman app or wscat for WebSocket APIs.

Complete the following steps:

Open the CloudWatch console.
In the navigation pane, under Logs, choose Log groups.
For Log groups, select the log group of the API that you want to debug:
For REST APIs, the log group name is in the API-Gateway-Execution-Logs_apiId/stageName format.
For WebSocket APIs, the log group name is in the /aws/apigateway/apiId/stageName format.
Note: The access logs are located in the log group that you specified when you turned on access logging.
In the Log streams list, select the log stream with the latest Last Event Time to view messages with the details of your request.