How to send EventBridge PutEvents from web client using Cognito and AWS SDK JavaScript v3?

Here is the code:

import { EventBridgeClient, PutEventsCommand } from "@aws-sdk/client-eventbridge";
import { fromCognitoIdentityPool } from '@aws-sdk/credential-provider-cognito-identity';
import { CognitoIdentityClient } from '@aws-sdk/client-cognito-identity';

const IDENTITY_POOL_ID = 'us-east-1:xxx';
const REGION = 'us-east-1';

const ebClient = new EventBridgeClient({
    region: REGION,
    credentials: fromCognitoIdentityPool({
        client: new CognitoIdentityClient({ region: REGION }),
        identityPoolId: IDENTITY_POOL_ID
    })
});

async function sendEvent() {
    const events = {
        Entries: [
            {
                DetailType: 'SubmitOrder',
                Detail: JSON.stringify({
                    orderId: 'abc',
                    // ...
                }),
                Source: 'com.org.app1',
            },
        ],
    };

    try {
        const data = await ebClient.send(new PutEventsCommand(events));
        console.log("Success, event sent; requestID:", data);
    } catch (err) {
        console.log('Error', err);
    }
}

The permissions for the Unauthorized Cognito Identity Pool role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "events:PutEvents",
            "Resource": "arn:aws:events:us-east-1:xxxx:event-bus/default"
        }
    ]
}

Trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-east-1:xxxx"
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "unauthenticated"
                }
            }
        }
    ]
}

The error:

AccessDeniedException: User: arn:aws:sts::xxxx:assumed-role/Cognito_XXXidentitypoolUnauth_Role/CognitoIdentityCredentials is not authorized to perform: events:PutEvents on resource: arn:aws:events:us-east-1:xxxx:event-bus/default because no session policy allows the events:PutEvents action

rain-mtucker
a year ago
Here is a sample project that shows this error: https://github.com/rmtuckerphx/web-eventbridge-cognito
Hector Fernandez - Community Builder
a year ago
I have the same problems with Secret Manager, I update the default role with the permissions and any happens. Do you resolve this issue?

Topics

Security, Identity, & Compliance Serverless Application Integration

Relevant content

How to send data to Kinesis Data Firehose using the AWS JavaScript SDK v3?
Sam
asked 7 months ago
AWS SDK for JavaScript V3 : Is amazon-cognito-identity-js becoming deprecated or has security issues in favor of AWS Amplify V6?
Joao
asked 9 days ago
Working with the AWS SDK javascript v3 and using refresh tokens
Accepted Answer
AWS-User-3108276
asked 7 months ago
What are the default retry settings/values for JavaScript SDK V3 clients?
aaronmaxcarver
asked 2 years ago
How can I decode and verify the signature of an Amazon Cognito JSON Web Token?
AWS OFFICIALUpdated 2 years ago
How do I use layers to integrate the latest version of the AWS SDK for JavaScript into my Node.js Lambda function?
AWS OFFICIALUpdated 5 months ago
How do I configure the hosted web UI for Amazon Cognito?
AWS OFFICIALUpdated 2 years ago
How to make an AWS SDK call from a CDK project using the interface AwsSdkCall?
AWS OFFICIALUpdated 10 months ago
A step-by-step guide to cross-account and cross-region events with EventBridge
EXPERT
Antonio_Lagrotteria
published a year ago
Connect and Publish to AWS IoT Core using the AWS SDK for .NET
EXPERT
Kai Dickman
published 6 months ago