Insufficient permissions to enable logging (Service: AmazonApiGatewayV2; Status Code: 400; Error Code: BadRequestException;…)

While I was working on the serverless monorepo CI/CD deployment. This error appears when you are trying to deploy serverless application on AWS. Although, it should throw some specific missing iam permission.

🚫

Insufficient permissions to enable logging (Service: AmazonApiGatewayV2; Status Code: 400; Error Code: BadRequestException; Request ID: xxxxx; Proxy: null)

🔎 Root cause: You’re probably missing the following IAM permissions actions:

logs:CreateLogDelivery

logs:PutResourcePolicy

logs:DescribeResourcePolicies

logs:DescribeLogGroups

If any of these types of logs is already being sent to a log group in CloudWatch Logs, then to set up the sending of another one of these types of logs to that same log group, you only need the logs:CreateLogDelivery permission.

📘 Reference:

Enabling logging from AWS services - Amazon CloudWatch Logs

Lists the AWS services that send logs to CloudWatch Logs, Amazon S3, and Kinesis Data Firehose, and explains the permissions necessary for some of these services to send their logs.

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-vended-logs-permissions

💡 Solution: Attach the permissions above inline or create a new policy including the following permisions:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSLogDeliveryWrite",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents",
				"logs:CreateLogDelivery"
				"logs:PutResourcePolicy",
				"logs:DescribeResourcePolicies"
				"logs:DescribeLogGroups"
      ],
      "Resource": [
        "*" // you can refine the resource with granular permissions
      ]
    }
  ]
}