I have an existing CloudSearch domain and an API Gateway. I'm following the steps for Integrating Amazon CloudSearch with API Gateway to link the two.
Per the instructions, my CloudSearch domain has the following access policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::********:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway"
},
"Action": "cloudsearch:*"
}
]
}
The IAM role is supposed to have the following permissions:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "*"
}]
}
And this trust relationship:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
But the AWSServiceRoleForAPIGateway role is automatically generated, and I'm not able to edit its permissions or trust relationships. It is missing all the necessary logs:* permissions and is trusted by ops.apigateway.amazonaws.com instead of apigateway.amazonaws.com.
My API Gateway resource is configured exactly as specified in the article linked earlier, but the call fails with the following error:
Execution failed due to configuration error: API Gateway
does not have permission to assume the provided role
arn:aws:iam::********:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway
I've tried creating a new service-linked role for API Gateway, which uses the AmazonAPIGatewayPushToCloudWatchLogs policy. This role has the necessary permissions and trust relationship, but the call fails with the same error.
Is there something more I need to do to configure API Gateway to use the correct role(s)? Can I attach a new policy to an AWS-managed service-linked role?
This is a clear case of rubberducking. While reviewing my question for accuracy, I noticed two things:
In the Method Execution configuration for my API Gateway resource, I had explicitly set the Execution role to the AWSServiceRoleForAPIGateway role.
In the CloudSearch domain, I also had allowed the AWSServiceRoleForAPIGateway role access.
I changed both references to the new API Gateway service-linked role I created--the one I assigned the AmazonAPIGatewayPushToCloudWatchLogs policy to--and everything is working as expected.
Thank you to anyone who spent time reading my question. I don't know how useful it is, but I'll leave this here in case it helps someone else who falls into the same trap.