Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[events] Grant events:PutEvents to specific EventBridge bus #11228

Closed
2 tasks
Assignees
Labels
@aws-cdk/aws-events Related to CloudWatch Events effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@SZubarev
Copy link

SZubarev commented Oct 30, 2020

Right now EventBus has static method grantPutEvents() which grants access to all EventBridge buses in account.
It would be useful to add same method or move it to instance method so it could grant access to send events only to the bus which method is called.

Use Case

This would allow to manage grants more granular

Proposed Solution

Other

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

@SZubarev SZubarev added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 30, 2020
@github-actions github-actions bot added the @aws-cdk/aws-events Related to CloudWatch Events label Oct 30, 2020
@michaelwiles
Copy link
Contributor

It's not possible to restrict access in a policy to a specific event bus.

Comment on grantPutEvents method
// It's currently not possible to restrict PutEvents to specific resources.
// See https://docs.aws.amazon.com/eventbridge/latest/userguide/permissions-reference-eventbridge.html

I can't find a definitive reference in the event bridge docs that you can't provide a specific event bus but then I can't find a reference that you can either.

So right now you can only give a policy permission to send to any event bus or not send to any event bus.

@shivlaks
Copy link
Contributor

@michaelwiles - I'm not sure whether that comment is still accurate. The IAM docs seem to indicate that resource-level permissions are supported for EventBridge.

However, this is probably best clarified by testing it out. I'll mark it as a p2 for now and will update once we sort out the best path forward.

@shivlaks shivlaks added p2 effort/small Small work item – less than a day of effort labels Nov 12, 2020
@jogold
Copy link
Contributor

jogold commented Nov 12, 2020

This is my comment there on grantPutEvents() :)

From the docs it still looks to me that it's not possible:

The table lists each EventBridge API operation and the corresponding actions for which you can grant permissions to perform the action. You specify the actions in the policy's Action field, and you specify a wildcard character (*) as the resource value in the policy's Resource field.

@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label Nov 13, 2020
@thantos
Copy link
Contributor

thantos commented Nov 20, 2020

EventBridge released this ability on Nov 19th 2020 (yesterday).

https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/

They also changed the form of EventBusPolicy, which is not currently supported by the L1 CfnEventBusPolicy construct.

@thantos
Copy link
Contributor

thantos commented Nov 20, 2020

If anyone is stuck on this, here is a really hacky workaround that I wrote. Was able to get through the stack deploy.

/**
 * https://aws.amazon.com/blogs/compute/simplifying-cross-account-access-with-amazon-eventbridge-resource-policies/
 */
class CfnEventBusPolicy2 extends cdk.CfnResource {
    constructor(scope: cdk.Construct, id: string, private props: CfnEventBusPolicy2Props) {
        super(scope, id, {type: CfnEventBusPolicy.CFN_RESOURCE_TYPE_NAME, properties: props})
    }

    protected get cfnProperties(): { [p: string]: any } {
        return this.props;
    }

    protected renderProperties(props: { [p: string]: any }): { [p: string]: any } {
        return super.renderProperties(cfnEventBusPolicyPropsToCloudFormation(this.cfnProperties));
    }

    protected validate(): string[] {
        return [];
    }
}

function cfnEventBusPolicyPropsToCloudFormation(properties: any) {
    if (!cdk.canInspect(properties)) {
        return properties;
    }
    return {
        Statement: (properties.statement as PolicyStatement).toStatementJson(),
        StatementId: cdk.stringToCloudFormation(properties.statementId),
        EventBusName: cdk.stringToCloudFormation(properties.eventBusName),
    };
}

interface CfnEventBusPolicy2Props {
    readonly statementId: string;
    readonly eventBusName?: string;
    readonly statement: PolicyStatement,
}

@NGL321 NGL321 assigned rix0rrr and unassigned shivlaks Jan 25, 2021
@mergify mergify bot closed this as completed in #13429 Mar 9, 2021
mergify bot pushed a commit that referenced this issue Mar 9, 2021
…13429)

Right now EventBus has a static method `grantPutEvents()` which grants PutEvents to all EventBridge buses in the account.

Adding a `grantPutEventsTo()` method to the IEventBus interface that grants PutEvents to the specific event bus.
We are also deprecating `grantPutEvents()` in favor to `grantAllPutEvents()` which has the same behavior.

Closes #11228.

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Mar 9, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

This was referenced Mar 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment