Serverless-application-model: add EventBridgePutEventsPolicy policy template
Description:
We should add a policy template for putting Amazon EventBridge events. We can call it EventBridgePutEventsPolicy and it should allow the events:PutEvents action. From the EventBridge IAM documentation, it looks like you can't scope the permission down to a specific event bus, although that doesn't sound right so I'm doublechecking on that. However, if that turns out to be the case, this policy template would take no parameters and specify Resource: *.
Here's an example of a past PR that added a new policy template for reference: #904
jlhood
All 9 comments
Hi @jlhood ,
I've been looking at this and, while the AWS console complains that:
The actions in your policy do not support resource-level permissions and require you to choose All resources
I'm absolutely able to create a policy in CloudFormation with a specific EventBus as the resource so I'm unsure of which way to go with this.
I'll see if I can actually use that policy and / or if it restricts writing to other buses but I'm also a little reluctant to have the new policy specify a resource in case that behaviour is removed.
Thoughts?
Russ-K
on 14 Oct 2019
@Russ-K I appreciate you following up on this! I'm still trying to get more information internally on plans to support a specific event bus resource within an IAM policy. However, that's mainly because I haven't had time to test it myself. I'd love it if you could test and verify if restricting PutEvents permissions to a specific event bus is currently honored by the service. Knowing the current behavior would help us move forward with this change. If restricting PutEvents permissions to a specific event bus is supported, we should be able to rely on that functionality staying. Again, I'll work on confirming from my side, but if you could run some tests to understand the current behavior, that would be terrific!
jlhood
on 14 Oct 2019
I can confirm that using anything besides a * for the resources field in a policy is not supported today. You can create the policy, but any requests you make will get denied. We are working with the service team to evaluate changing that to support specific event bus ARNs, but I can't share any timelines on that at this time.
mikedeck
on 15 Oct 2019
Thanks @mikedeck. Looks like this issue is blocked until we get this support. I don't want to create a policy template that has no parameters and uses Resource: * only to have it become obsolete later if the service adds per-resource permissions.
jlhood
on 15 Oct 2019
The API should now support the resource level policy in all regions. A parameter can be now added to specify the event bus name in the policy.
jmnarloch
on 23 Jan 2020
@jmnarloch Can I ask how you figured that out? The IAM page for EventBridge still lists no resource type for events:PutEvents.
chrisoverzero
on 23 Jan 2020
@chrisoverzero I am afraid that the docs are outdated still.
jmnarloch
on 11 Feb 2020
Is there any idea about the release date of this new policy?
ben-elsen
on 3 Mar 2020
This is released in v1.22.0
ShreyaGangishetty
on 16 Mar 2020
Related issues
rhboyd
路
3Comments
zeroastro
路
3Comments
angustohrallegrinski
路
3Comments
polovi
路
3Comments
PMudra
路
4Comments
Most helpful comment
@chrisoverzero I am afraid that the docs are outdated still.