How can I use EventBridge to submit a scheduled Batch job without specifying the latest job definition revision?

0

Hello,

I'm trying use EventBridge to schedule Batch submissions. However, I'm getting this error:

"User: arn:aws:sts::[account ID]:assumed-role/[IAM Batch invoker role] is not authorized to perform: batch:SubmitJob on resource: arn:aws:batch:[account ID]:job-definition/[job definition name]"

The invoker role's permissions are as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "batch:SubmitJob",
            "Resource": [
                "arn:aws:batch:[account ID]:job-definition/[job definition name]:*",
                "arn:aws:batch:[account ID]:job/[job name]",
                "arn:aws:batch:[account ID]:job-queue/[job queue name]"
            ]
        }
    ]
}

For whatever reason, the rules work fine if I list the most recent job revision as the rule's target (i.e., arn:aws:batch:[account ID]:job-definition/[job definition name]:235). However, if I don't list the most recent revision number, I get the above error. My team updates this job definition frequently and I'm trying to make several rules like this, so manually changing the revision number every time isn't a good option. The rules also work if I just use "Resource": "*" for permissions, but this security policy is unacceptably broad for my organization. Is there a way I can get rules like this to work without listing the revision number?

asked 2 years ago638 views
1 Answer
0

Hello!

The job definition value can be one of

  • name,
  • name:revision. Without a revision the latest active revision is used
  • or the ARN for the job definition

Could you try this policy?

"Resource": [ "arn:aws:batch:region:account-number:job-definition/[job definition name]", "arn:aws:batch:region:account-number:job-definition/[job definition name]:*", "arn:aws:batch:region:account-number:job-queue/[job queue name]" ]

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions