- 最新
- 最多得票
- 最多評論
The permissions you are listing in your post are for SystemsManager service, not for EventBridge. In order to be able to put an event in a bus event, your role should allow the action: events:PutEvents to the resource representing the bus event you want to use.
Hi, thanks for your reply. I have added the AmazonEventBridgeFullAccess managed policy to the role but it is still failing unfortunately.
Good question!
To utilize EventBridge and specifically in your case when you're trying to see logs in EventBridge:
- Typically, you will need PutEvent permission. You can read through the rest of the permissions here: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-permissions-reference.html
As for your Parameter Store Permissions and Issues, check the following:
- Access to Systems Manager Parameter Store to write to Parameter Store. This will look like a ssm:PutParameter.
- Access to the KMS Key used to encrypt Parameter Store.
Hi, thanks for your reply. I have added the AmazonEventBridgeFullAccess managed policy to the role but it is still failing unfortunately. I don't believe I need the PutParameter permission as I only need to read the value. Also its stored as a string so I shouldn't need access to KMS to decrypt?
Can you elaborate it a little more extensive?
As I understand, when the Parameter is changed, the event is sent through EventBridge and the Rule is applied to consume this event. The question is who is a subscriber? Lambda? If yes, you need to add LambdaPermission to allow EventBridge to invoke your Lambda function.
The Policies which you are needed by Lambda function to execute your logic to apply new parameters, but are not connected to the subscription with EventBridge.
HI, thanks for your reply. For my target I have Systems Manager Run Command to apply the AmazonCloudWatch-ManageAgent SSM document. My rule looks like this: { "Name": "update-cloud-watch-agent-linux", "Arn": "arn:aws:events:eu-west-2:xxxxxxxxxxxx:rule/update-cloud-watch-agent-linux", "EventPattern": "{"detail":{"name":["cloud-watch-config-linux"],"operation":["Update"]},"detail-type":["Parameter Store Change"],"resources":["arn:aws:ssm:eu-west-2:xxxxxxxxxxxx:parameter/cloud-watch-config-linux"],"source":["aws.ssm"]}", "State": "ENABLED", "Description": "Update Cloud Watch Agent on Linux instances when config file is changed", "EventBusName": "default", "CreatedBy": "xxxxxxxxxxxx" }
and my targets:
{ "Targets": [ { "Id": "update-cloud-watch-agent-linux", "Arn": "arn:aws:ssm:eu-west-2::document/AmazonCloudWatch-ManageAgent", "RoleArn": "arn:aws:iam::xxxxxxxxxxxx:role/ssm-run-command", "Input": "{"action":"configure","mode":"ec2","optionalConfigurationLocation":"cloud-watch-config-linux","optionalConfigurationSource":"ssm","optionalRestart":"yes"}", "RunCommandParameters": { "RunCommandTargets": [ { "Key": "tag:os_type", "Values": [ "Linux" ] } ] }
相關內容
- 已提問 6 個月前
- AWS 官方已更新 2 年前
Did you ever find a solution? I have a similar problem but the target is SQS (and I want/need to use a role).