Can API Gateway send Access Logs to Firehose in a different account?

Question

We have API Gateway deployed in account A and want to send Access Logs to a Firehose in account B so all auditing services and billing are separated. But after Firehose ARN from account B was set in API Gateway, we are getting the error "Invalid ARN specified in the request. ARN must belong to account A and region should be X".
Is it possible that we are missing some permission configuration here? Or is just that API Gateway does not have the option to send Access Logs to another account?

Answer

The recommendation would be to have API Gateway in account A, Kinesis Firehose in account A, and S3 target bucket + analytics in account B, you could find the example on how to achieve this [here](https://aws.amazon.com/premiumsupport/knowledge-center/kinesis-firehose-cloudwatch-logs/). The account A would also be charged by the usage of Kinesis Firehose. You could use [tag-based cost allocation](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) to know that cost in particular if you want to internally allocate that cost (although from my experience Firehose's cost shouldn't be too much to go through this hassle)

Answer

Thanks for the recommendation, we'll do that. Can you confirm it's not possible to send API Gateway's Access Logs to Firehose in a different account?

Answer

API Gateway doesn't allow direct cross-account pass role. At the moment they can only be sent to the same account (not cross-account). To have a centralized logging in a common account is to follow this pattern https://aws.amazon.com/solutions/implementations/centralized-logging/

Can API Gateway send Access Logs to Firehose in a different account?

Relevant content