How do I troubleshoot errors in EventBridge Scheduler?

Resolution

Monitor EventBridge Scheduler metrics

Use Amazon CloudWatch to monitor EventBridge Scheduler metrics. For example, you can check metrics such as TargetErrorCount, InvocationDroppedCount, and TargetErrorThrottledCount.

Configure a DLQ

To get a payload that contains invocation details when a schedule fails to invoke its target, configure a dead-letter queue (DLQ).

Check that EventBridge Scheduler has the necessary permissions

Verify that your AWS Identity and Access Management (IAM) execution role allows EventBridge Scheduler to assume the role. The policy that you attach to the role must also have permission to invoke the targets.

Verify the trust relationship

To verify that EventBridge Scheduler can assume the role, complete the following steps:

1. Open the EventBridge console.
2. Choose Schedules, and then select your schedule.
3. Choose the Target tab.
4. Select the execution role.
5. Choose Trust relationships.
6. Verify that Principal is set to scheduler.amazonaws.com.
7. Verify that Action is set to sts:AssumeRole.

Note: It's a best practice to use an execution role trust policy that helps prevent the confused deputy problem.

Verify target permissions

To check whether EventBridge Scheduler can invoke the target, identify the API operation for the AWS service that you want EventBridge Scheduler to call. Then, verify that the IAM policy that's attached to your execution role includes the permission to call the service's API operation.

For example, to have EventBridge Scheduler invoke an AWS Lambda function, you must include the lambda:InvokeFunction permission in your IAM policy:

{
    "Version":"2012-10-17", 
    "Statement": [ 
        {
            "Action": [ "lambda:InvokeFunction" ], 
            "Effect": "Allow", 
            "Resource": "*" 
        } 
     ]
}

Note: It's a best practice to use specific Amazon Resource Names (ARNs) instead of a wildcard (*).