AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

IAM Role for Event Bridge

0

Hi, I am trying to trigger a run command document on a bunch of ec2 instances when a parameter in parameter store is updated. The rule gets triggered as expected but I can see from the Events in CloudWatch that all invocations fail. I'm a bit lost as how to troubleshoot it as there don't seem to be any logs available in Event Bridge. I'm thinking it might be to do with the IAM role used for the targets. If you set up the targets manually through the Event Bridge console this role can be created automatically, however I am required to create all infra via Terraform so I need to create and assign the role separately. Documentation on the role requirements is a bit thin on the ground, but this is what I have so far

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": "arn:aws:ec2:eu-west-2:xxxxxxxxxxxx:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/os_type": "*"
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": "arn:aws:ssm:eu-west-2::document/AmazonCloudWatch-ManageAgent"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ssm:GetParameter",
            "Resource": "arn:aws:ssm:eu-west-2:xxxxxxxxxxxx:parameter/cloud-watch-config-linux"
        }
    ]
}

with events.amazonaws.com being able to assume the role.

Any suggestions on how to troubleshoot this further, or advice on how the IAM role permissions required would be much appreciated.

Many thanks.

  • takesson
    2년 전

    Did you ever find a solution? I have a similar problem but the target is SQS (and I want/need to use a role).

주제
서버리스애플리케이션 통합
태그
아마존 EventBridge
언어
English
AWS-User-9542792
질문됨 2년 전5325회 조회
3개 답변
0

The permissions you are listing in your post are for SystemsManager service, not for EventBridge. In order to be able to put an event in a bus event, your role should allow the action: events:PutEvents to the resource representing the bus event you want to use.

jgg
답변함 2년 전
  • AWS-User-9542792
    2년 전

    Hi, thanks for your reply. I have added the AmazonEventBridgeFullAccess managed policy to the role but it is still failing unfortunately.

0

Good question!

To utilize EventBridge and specifically in your case when you're trying to see logs in EventBridge:

As for your Parameter Store Permissions and Issues, check the following:

  • Access to Systems Manager Parameter Store to write to Parameter Store. This will look like a ssm:PutParameter.
  • Access to the KMS Key used to encrypt Parameter Store.
jsonc
답변함 2년 전
  • AWS-User-9542792
    2년 전

    Hi, thanks for your reply. I have added the AmazonEventBridgeFullAccess managed policy to the role but it is still failing unfortunately. I don't believe I need the PutParameter permission as I only need to read the value. Also its stored as a string so I shouldn't need access to KMS to decrypt?

0

Can you elaborate it a little more extensive?

As I understand, when the Parameter is changed, the event is sent through EventBridge and the Rule is applied to consume this event. The question is who is a subscriber? Lambda? If yes, you need to add LambdaPermission to allow EventBridge to invoke your Lambda function.

The Policies which you are needed by Lambda function to execute your logic to apply new parameters, but are not connected to the subscription with EventBridge.

profile picture
MG
답변함 2년 전
  • AWS-User-9542792
    2년 전

    HI, thanks for your reply. For my target I have Systems Manager Run Command to apply the AmazonCloudWatch-ManageAgent SSM document. My rule looks like this: { "Name": "update-cloud-watch-agent-linux", "Arn": "arn:aws:events:eu-west-2:xxxxxxxxxxxx:rule/update-cloud-watch-agent-linux", "EventPattern": "{"detail":{"name":["cloud-watch-config-linux"],"operation":["Update"]},"detail-type":["Parameter Store Change"],"resources":["arn:aws:ssm:eu-west-2:xxxxxxxxxxxx:parameter/cloud-watch-config-linux"],"source":["aws.ssm"]}", "State": "ENABLED", "Description": "Update Cloud Watch Agent on Linux instances when config file is changed", "EventBusName": "default", "CreatedBy": "xxxxxxxxxxxx" }

    and my targets:

    { "Targets": [ { "Id": "update-cloud-watch-agent-linux", "Arn": "arn:aws:ssm:eu-west-2::document/AmazonCloudWatch-ManageAgent", "RoleArn": "arn:aws:iam::xxxxxxxxxxxx:role/ssm-run-command", "Input": "{"action":"configure","mode":"ec2","optionalConfigurationLocation":"cloud-watch-config-linux","optionalConfigurationSource":"ssm","optionalRestart":"yes"}", "RunCommandParameters": { "RunCommandTargets": [ { "Key": "tag:os_type", "Values": [ "Linux" ] } ] }

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠