Why does my EventBridge rule fail to invoke my API destination target?

Resolution

To identify any invocation failure, you must set up a dead-letter queue (DLQ). The DLQ message includes ERROR_CODE and ERROR_MESSAGE attributes to help you understand why the target invocation failed.

The IAM role doesn't have the correct permissions

Make sure that the AWS Identity and Access Management (IAM) role that's associated with the API destination target has the events:InvokeApiDestination permission in its policy. For more information, see Using identity-based policies (IAM policies) for Amazon EventBridge.

You didn't correctly configure the API destination point

EventBridge requests to an API destination endpoint must have a maximum client execution timeout of 5 seconds. If the target endpoint takes longer than 5 seconds to respond, then EventBridge times out the request. EventBridge retries timed-out requests up to the maximum that you configured in your retry policy. By default, the maximum is for 24 hours and up to 185 times. If you don't set up a DLQ, then EventBridge drops the events after the maximum number of retries.

Make sure that the API destination endpoint doesn't block traffic from EventBridge. Verify that the endpoint uses a valid SSL certificate.

The API destination is in the Inactive state and the connection authorization is DEAUTHORIZED

When you use connections with the OAuth authorization type, EventBridge refreshes OAuth tokens only when your authorization endpoint returns a 401 or 407 response. If your authorization endpoint sends any other response code, such as a 403 response, then EventBridge changes the connection to the DEAUTHORIZED state.

Check your authorization endpoint logs to identify the reason for the failure.

Related information

How can I use a dead-letter queue to troubleshoot FailedInvocations for EventBridge rules?