8

How do get logging from custom authorizer lambda function in API Gateway? I do not want to enable logging for API. I need logging from authorizer lambda function. I use a python lambda function and have prints in the code. I want to view the prints in Cloud Watch logs. But logs are not seen in cloud watch. I do not get errors either. What am I missing?
Lambda has execution role role/service-role/MyLambdaRole. This role has the policy to write to cloud watch.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:us-east-1:123456:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:123456:log-group:MyCustomAuthorizer:*"
            ]
        }
    ]
}

I also tested by adding CloudWatchLogsFullAccess policy to role/service-role/MyLambdaRole role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
suman j
  • 6,710
  • 11
  • 58
  • 109

2 Answers2

3

I deleted the lambda function, IAM role, custom authorizer from API Gateway. Recreated all the above with the same settings and published the API. It started working and logging as expected. I do not know what was preventing earlier to log to cloud watch logs. Weird!!

suman j
  • 6,710
  • 11
  • 58
  • 109
0

When I set up my authorizer, I set a Lambda Event payload for a custom header, and I had neglected to set that header in my browser session. According to the documentation at https://docs.aws.amazon.com/apigateway/latest/developerguide/configure-api-gateway-lambda-authorization-with-console.html, section 9b, the API Gateway will throw a 401 Unauthorized error without even executing the Lambda function. So that was the source of the problem.

sarath
  • 11