通过 CloudFormation 创建时,AWS 事件桥规则角色未附加到事件桥
AWS event bridge rule role not attaching to event bridge when creating via CloudFormation
我有一个 Cloudformation 模板来创建事件桥接规则,目标是另一个帐户中的中央事件总线 运行ning。当我 运行 下面的代码时,IAM 角色和事件桥都被创建,但 IAM 角色没有附加到 eventbridge 规则。下面是我正在使用的 yaml 模板。
另请参阅随附的屏幕截图。
AWSTemplateFormatVersion: 2010-09-09
Resources:
EventRuleRegion1:
Type: AWS::Events::Rule
Properties:
Description: Event rule to send events to monitoring account event bus
EventBusName: default
EventPattern:
source:
- aws.ec2
Name: ec2-lifecycle-events2
RoleArn: !GetAtt
- EventBridgeIAMrole
- Arn
State: ENABLED
Targets:
- Arn: >-
arn:aws:events:ap-southeast-2:123456789123:event-bus/central-eventbus-sydney
Id: 'central-eventbus-sydney'
EventBridgeIAMrole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: !Sub events.amazonaws.com
Action: 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: PutEventsDestinationBus
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'events:PutEvents'
Resource:
- >-
arn:aws:events:ap-southeast-2:123456789123:event-bus/central-eventbus-sydney
显示创建和附加的角色的手动创建的事件规则。
角色中的政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"events:PutEvents"
],
"Resource": [
"arn:aws:events:ap-southeast-2:123456789123:event-bus/central-eventbus-sydney"
]
}
]
}
Cross-account权限不是使用角色设置的,而是EventBus资源权限。来自 [文档][1]:
The permissions for an event bus are granted or denied using a resource-based policy attached to the event bus.
要在 CloudFormation 中执行此操作,您必须开发自己的 custom resource。
更新
您还没有为您的目标指定 RoleArn。这与您现在的 RoleArn 不同。
我有一个 Cloudformation 模板来创建事件桥接规则,目标是另一个帐户中的中央事件总线 运行ning。当我 运行 下面的代码时,IAM 角色和事件桥都被创建,但 IAM 角色没有附加到 eventbridge 规则。下面是我正在使用的 yaml 模板。
另请参阅随附的屏幕截图。
AWSTemplateFormatVersion: 2010-09-09
Resources:
EventRuleRegion1:
Type: AWS::Events::Rule
Properties:
Description: Event rule to send events to monitoring account event bus
EventBusName: default
EventPattern:
source:
- aws.ec2
Name: ec2-lifecycle-events2
RoleArn: !GetAtt
- EventBridgeIAMrole
- Arn
State: ENABLED
Targets:
- Arn: >-
arn:aws:events:ap-southeast-2:123456789123:event-bus/central-eventbus-sydney
Id: 'central-eventbus-sydney'
EventBridgeIAMrole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: !Sub events.amazonaws.com
Action: 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: PutEventsDestinationBus
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'events:PutEvents'
Resource:
- >-
arn:aws:events:ap-southeast-2:123456789123:event-bus/central-eventbus-sydney
显示创建和附加的角色的手动创建的事件规则。
角色中的政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"events:PutEvents"
],
"Resource": [
"arn:aws:events:ap-southeast-2:123456789123:event-bus/central-eventbus-sydney"
]
}
]
}
Cross-account权限不是使用角色设置的,而是EventBus资源权限。来自 [文档][1]:
The permissions for an event bus are granted or denied using a resource-based policy attached to the event bus.
要在 CloudFormation 中执行此操作,您必须开发自己的 custom resource。
更新
您还没有为您的目标指定 RoleArn。这与您现在的 RoleArn 不同。