使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

IAM Role for Event Bridge

0

Hi, I am trying to trigger a run command document on a bunch of ec2 instances when a parameter in parameter store is updated. The rule gets triggered as expected but I can see from the Events in CloudWatch that all invocations fail. I'm a bit lost as how to troubleshoot it as there don't seem to be any logs available in Event Bridge. I'm thinking it might be to do with the IAM role used for the targets. If you set up the targets manually through the Event Bridge console this role can be created automatically, however I am required to create all infra via Terraform so I need to create and assign the role separately. Documentation on the role requirements is a bit thin on the ground, but this is what I have so far

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": "arn:aws:ec2:eu-west-2:xxxxxxxxxxxx:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/os_type": "*"
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ssm:SendCommand",
            "Resource": "arn:aws:ssm:eu-west-2::document/AmazonCloudWatch-ManageAgent"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ssm:GetParameter",
            "Resource": "arn:aws:ssm:eu-west-2:xxxxxxxxxxxx:parameter/cloud-watch-config-linux"
        }
    ]
}

with events.amazonaws.com being able to assume the role.

Any suggestions on how to troubleshoot this further, or advice on how the IAM role permissions required would be much appreciated.

Many thanks.

  • takesson
    2 年前

    Did you ever find a solution? I have a similar problem but the target is SQS (and I want/need to use a role).

主題
無伺服器應用程式整合
標籤
Amazon EventBridge
語言
English
AWS-User-9542792
已提問 2 年前檢視次數 5324 次
3 個答案
0

The permissions you are listing in your post are for SystemsManager service, not for EventBridge. In order to be able to put an event in a bus event, your role should allow the action: events:PutEvents to the resource representing the bus event you want to use.

jgg
已回答 2 年前
  • AWS-User-9542792
    2 年前

    Hi, thanks for your reply. I have added the AmazonEventBridgeFullAccess managed policy to the role but it is still failing unfortunately.

0

Good question!

To utilize EventBridge and specifically in your case when you're trying to see logs in EventBridge:

As for your Parameter Store Permissions and Issues, check the following:

  • Access to Systems Manager Parameter Store to write to Parameter Store. This will look like a ssm:PutParameter.
  • Access to the KMS Key used to encrypt Parameter Store.
jsonc
已回答 2 年前
  • AWS-User-9542792
    2 年前

    Hi, thanks for your reply. I have added the AmazonEventBridgeFullAccess managed policy to the role but it is still failing unfortunately. I don't believe I need the PutParameter permission as I only need to read the value. Also its stored as a string so I shouldn't need access to KMS to decrypt?

0

Can you elaborate it a little more extensive?

As I understand, when the Parameter is changed, the event is sent through EventBridge and the Rule is applied to consume this event. The question is who is a subscriber? Lambda? If yes, you need to add LambdaPermission to allow EventBridge to invoke your Lambda function.

The Policies which you are needed by Lambda function to execute your logic to apply new parameters, but are not connected to the subscription with EventBridge.

profile picture
MG
已回答 2 年前
  • AWS-User-9542792
    2 年前

    HI, thanks for your reply. For my target I have Systems Manager Run Command to apply the AmazonCloudWatch-ManageAgent SSM document. My rule looks like this: { "Name": "update-cloud-watch-agent-linux", "Arn": "arn:aws:events:eu-west-2:xxxxxxxxxxxx:rule/update-cloud-watch-agent-linux", "EventPattern": "{"detail":{"name":["cloud-watch-config-linux"],"operation":["Update"]},"detail-type":["Parameter Store Change"],"resources":["arn:aws:ssm:eu-west-2:xxxxxxxxxxxx:parameter/cloud-watch-config-linux"],"source":["aws.ssm"]}", "State": "ENABLED", "Description": "Update Cloud Watch Agent on Linux instances when config file is changed", "EventBusName": "default", "CreatedBy": "xxxxxxxxxxxx" }

    and my targets:

    { "Targets": [ { "Id": "update-cloud-watch-agent-linux", "Arn": "arn:aws:ssm:eu-west-2::document/AmazonCloudWatch-ManageAgent", "RoleArn": "arn:aws:iam::xxxxxxxxxxxx:role/ssm-run-command", "Input": "{"action":"configure","mode":"ec2","optionalConfigurationLocation":"cloud-watch-config-linux","optionalConfigurationSource":"ssm","optionalRestart":"yes"}", "RunCommandParameters": { "RunCommandTargets": [ { "Key": "tag:os_type", "Values": [ "Linux" ] } ] }

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容