使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

IAM Role for Event Bridge

0

Hi, I am trying to trigger a run command document on a bunch of ec2 instances when a parameter in parameter store is updated. The rule gets triggered as expected but I can see from the Events in CloudWatch that all invocations fail. I'm a bit lost as how to troubleshoot it as there don't seem to be any logs available in Event Bridge. I'm thinking it might be to do with the IAM role used for the targets. If you set up the targets manually through the Event Bridge console this role can be created automatically, however I am required to create all infra via Terraform so I need to create and assign the role separately. Documentation on the role requirements is a bit thin on the ground, but this is what I have so far

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": "arn:aws:ec2:eu-west-2:xxxxxxxxxxxx:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/os_type": "*"
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": "arn:aws:ssm:eu-west-2::document/AmazonCloudWatch-ManageAgent"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ssm:GetParameter",
            "Resource": "arn:aws:ssm:eu-west-2:xxxxxxxxxxxx:parameter/cloud-watch-config-linux"
        }
    ]
}

with events.amazonaws.com being able to assume the role.

Any suggestions on how to troubleshoot this further, or advice on how the IAM role permissions required would be much appreciated.

Many thanks.

  • takesson
    2 年前

    Did you ever find a solution? I have a similar problem but the target is SQS (and I want/need to use a role).

主题
无服务器应用程序集成
标签
Amazon EventBridge
语言
English
AWS-User-9542792
已提问 2 年前5325 查看次数
3 回答
0

The permissions you are listing in your post are for SystemsManager service, not for EventBridge. In order to be able to put an event in a bus event, your role should allow the action: events:PutEvents to the resource representing the bus event you want to use.

jgg
已回答 2 年前
  • AWS-User-9542792
    2 年前

    Hi, thanks for your reply. I have added the AmazonEventBridgeFullAccess managed policy to the role but it is still failing unfortunately.

0

Good question!

To utilize EventBridge and specifically in your case when you're trying to see logs in EventBridge:

As for your Parameter Store Permissions and Issues, check the following:

  • Access to Systems Manager Parameter Store to write to Parameter Store. This will look like a ssm:PutParameter.
  • Access to the KMS Key used to encrypt Parameter Store.
jsonc
已回答 2 年前
  • AWS-User-9542792
    2 年前

    Hi, thanks for your reply. I have added the AmazonEventBridgeFullAccess managed policy to the role but it is still failing unfortunately. I don't believe I need the PutParameter permission as I only need to read the value. Also its stored as a string so I shouldn't need access to KMS to decrypt?

0

Can you elaborate it a little more extensive?

As I understand, when the Parameter is changed, the event is sent through EventBridge and the Rule is applied to consume this event. The question is who is a subscriber? Lambda? If yes, you need to add LambdaPermission to allow EventBridge to invoke your Lambda function.

The Policies which you are needed by Lambda function to execute your logic to apply new parameters, but are not connected to the subscription with EventBridge.

profile picture
MG
已回答 2 年前
  • AWS-User-9542792
    2 年前

    HI, thanks for your reply. For my target I have Systems Manager Run Command to apply the AmazonCloudWatch-ManageAgent SSM document. My rule looks like this: { "Name": "update-cloud-watch-agent-linux", "Arn": "arn:aws:events:eu-west-2:xxxxxxxxxxxx:rule/update-cloud-watch-agent-linux", "EventPattern": "{"detail":{"name":["cloud-watch-config-linux"],"operation":["Update"]},"detail-type":["Parameter Store Change"],"resources":["arn:aws:ssm:eu-west-2:xxxxxxxxxxxx:parameter/cloud-watch-config-linux"],"source":["aws.ssm"]}", "State": "ENABLED", "Description": "Update Cloud Watch Agent on Linux instances when config file is changed", "EventBusName": "default", "CreatedBy": "xxxxxxxxxxxx" }

    and my targets:

    { "Targets": [ { "Id": "update-cloud-watch-agent-linux", "Arn": "arn:aws:ssm:eu-west-2::document/AmazonCloudWatch-ManageAgent", "RoleArn": "arn:aws:iam::xxxxxxxxxxxx:role/ssm-run-command", "Input": "{"action":"configure","mode":"ec2","optionalConfigurationLocation":"cloud-watch-config-linux","optionalConfigurationSource":"ssm","optionalRestart":"yes"}", "RunCommandParameters": { "RunCommandTargets": [ { "Key": "tag:os_type", "Values": [ "Linux" ] } ] }

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容