Here is the code:
import { EventBridgeClient, PutEventsCommand } from "@aws-sdk/client-eventbridge";
import { fromCognitoIdentityPool } from '@aws-sdk/credential-provider-cognito-identity';
import { CognitoIdentityClient } from '@aws-sdk/client-cognito-identity';
const IDENTITY_POOL_ID = 'us-east-1:xxx';
const REGION = 'us-east-1';
const ebClient = new EventBridgeClient({
region: REGION,
credentials: fromCognitoIdentityPool({
client: new CognitoIdentityClient({ region: REGION }),
identityPoolId: IDENTITY_POOL_ID
})
});
async function sendEvent() {
const events = {
Entries: [
{
DetailType: 'SubmitOrder',
Detail: JSON.stringify({
orderId: 'abc',
// ...
}),
Source: 'com.org.app1',
},
],
};
try {
const data = await ebClient.send(new PutEventsCommand(events));
console.log("Success, event sent; requestID:", data);
} catch (err) {
console.log('Error', err);
}
}
The permissions for the Unauthorized Cognito Identity Pool role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "events:PutEvents",
"Resource": "arn:aws:events:us-east-1:xxxx:event-bus/default"
}
]
}
Trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
}
]
}
The error:
AccessDeniedException: User: arn:aws:sts::xxxx:assumed-role/Cognito_XXXidentitypoolUnauth_Role/CognitoIdentityCredentials is not authorized to perform: events:PutEvents on resource: arn:aws:events:us-east-1:xxxx:event-bus/default because no session policy allows the events:PutEvents action
Here is a sample project that shows this error: https://github.com/rmtuckerphx/web-eventbridge-cognito
I have the same problems with Secret Manager, I update the default role with the permissions and any happens. Do you resolve this issue?