-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[events] Grant events:PutEvents to specific EventBridge bus #11228
[events] Grant events:PutEvents to specific EventBridge bus #11228
Comments
It's not possible to restrict access in a policy to a specific event bus. Comment on grantPutEvents method I can't find a definitive reference in the event bridge docs that you can't provide a specific event bus but then I can't find a reference that you can either. So right now you can only give a policy permission to send to any event bus or not send to any event bus. |
@michaelwiles - I'm not sure whether that comment is still accurate. The IAM docs seem to indicate that resource-level permissions are supported for EventBridge. However, this is probably best clarified by testing it out. I'll mark it as a |
This is my comment there on From the docs it still looks to me that it's not possible:
|
EventBridge released this ability on Nov 19th 2020 (yesterday). They also changed the form of EventBusPolicy, which is not currently supported by the L1 CfnEventBusPolicy construct. |
If anyone is stuck on this, here is a really hacky workaround that I wrote. Was able to get through the stack deploy. /**
* https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/
*/
class CfnEventBusPolicy2 extends cdk.CfnResource {
constructor(scope: cdk.Construct, id: string, private props: CfnEventBusPolicy2Props) {
super(scope, id, {type: CfnEventBusPolicy.CFN_RESOURCE_TYPE_NAME, properties: props})
}
protected get cfnProperties(): { [p: string]: any } {
return this.props;
}
protected renderProperties(props: { [p: string]: any }): { [p: string]: any } {
return super.renderProperties(cfnEventBusPolicyPropsToCloudFormation(this.cfnProperties));
}
protected validate(): string[] {
return [];
}
}
function cfnEventBusPolicyPropsToCloudFormation(properties: any) {
if (!cdk.canInspect(properties)) {
return properties;
}
return {
Statement: (properties.statement as PolicyStatement).toStatementJson(),
StatementId: cdk.stringToCloudFormation(properties.statementId),
EventBusName: cdk.stringToCloudFormation(properties.eventBusName),
};
}
interface CfnEventBusPolicy2Props {
readonly statementId: string;
readonly eventBusName?: string;
readonly statement: PolicyStatement,
} |
…13429) Right now EventBus has a static method `grantPutEvents()` which grants PutEvents to all EventBridge buses in the account. Adding a `grantPutEventsTo()` method to the IEventBus interface that grants PutEvents to the specific event bus. We are also deprecating `grantPutEvents()` in favor to `grantAllPutEvents()` which has the same behavior. Closes #11228. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Right now EventBus has static method grantPutEvents() which grants access to all EventBridge buses in account.
It would be useful to add same method or move it to instance method so it could grant access to send events only to the bus which method is called.
Use Case
This would allow to manage grants more granular
Proposed Solution
Other
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: