By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Eventbridge scheduler

0

Hi, I was testing the EventBridge to simply stop or start my EC2 (linux). I have created the roles and policy that are needed but it looks like the event failing to invoke my EC2!! Strange part is, I did the same things in 2 accounts, in our prodcution account it works but when try it in our sandbox server wont start or stop my EC2

this is my policy: { "Version": "2012-10-17", "Statement": [ { "Action": "ec2:StartInstances", "Resource": "arn:aws:ec2:eu-central-1:XXXXXXXXXX:instance/i-07d8c13fXXXXXa0", "Effect": "Allow" } ] }

and this is the Trusted entities of the role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "scheduler.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:scheduler:eu-central-1:XXXXXXXXX:schedule/default/StartLinuxServer", "aws:SourceAccount": "XXXXXXXXXX" } } } ] }

The SSM has access to the EC2 and have already updated the SSM agent.

any idea, why it works in one account and not in other? the only different is server in working account is in a Private subnet and in sandbox is in default public subnet

Thanks

Topics
ComputeServerlessApplication Integration
Tags
Amazon EC2Amazon EventBridge
Language
English
Shahin
asked 24 days ago123 views
2 Answers
0

Hello.

First of all, you cannot stop EC2 with "ec2:StartInstances" alone.
"ec2:StopInstances" is also required to stop EC2.

By the way, is the ARN set in the trust policy correct?
For example, how about making it available to all EventBridge schedulers as follows?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "scheduler.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

I think the following blog will be helpful for the settings itself.
https://dev.to/aws-builders/easy-setup-for-ec2-stop-jobs-with-amazon-eventbridge-scheduler-4lpg

profile picture
EXPERT
Riku_Kobayashi
answered 24 days ago
profile picture
EXPERT
Adeleke Adebowale J
reviewed 24 days ago
  • Shahin
    24 days ago

    Hi, thank you for your reply, Sorry for the misunderstanding I have also creatred a different role for starting the instance, that's why I post it by mistake. I have 1 more Role that is being used for the for instance, it has AmazonSSMManagedInstanceCore and CloudWatchAgentServerPolicy as permissions and The arn is correct, I just copy it from the instance page. I also change the role by removing the arn, but still the same result.

    Shahin

  • Riku_Kobayashi EXPERT
    24 days ago

    What is the IAM role configured for the EventBridge scheduler? Try checking the EventBridge scheduler IAM role instead of the EC2 IAM role.

0

this is my event policy { "Version": "2012-10-17", "Statement": [ { "Action": "ec2:StartInstances", "Resource": "arn:aws:ec2:eu-central-1:xxxxxxxxxxx45:instance/i-02307ed149403dd12", "Effect": "Allow" } ] }

and its trust relation

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "scheduler.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:scheduler:eu-central-1:XXXXXXXXXXX45:schedule/default/linuxStartSchedule", "aws:SourceAccount": "Xxxxxxxxxxxx45" } } } ] }

I dont think there is a problem with the IAM roles, becuse I use the same roles in my pro enviorment and it works without any problem! when use them in my sandbox account it wont work

Shahin
answered 24 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content