Reputation: 2351
Tag based policies for EventBridge PutEvents
Is it possible to configure tag-based policies for the EventBridge PutEvents action?
My hope was that, based on tags in an IAM role, I could control which roles have access to PutEvents on specific event buses. I have attempted to do this with the following resource policy:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "allow_tags_to_put_events",
"Effect": "Allow",
"Principal": "*",
"Action": "events:PutEvents",
"Resource": "<event-bus-arn>",
"Condition": {
"StringEquals": {
"aws:RequestTag/stage": "test"
}
}
}]
}
This would allow any IAM role tagged with stage=test to be able to PutEvents. But this doesn't appear to be working. Reading this https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridge.html suggests that maybe PutEvents doesn't support the aws:RequestTag condition, but SOME of the actions do, which seems extremely odd to me.
Upvotes: 3
Views: 1069
Answers (1)
Reputation: 238877
which seems extremely odd to me.
Its not odd. Its rather common that some condition keys apply to only specific actions, and not others.
So you already answered your own question. PutEvents action supports only few keys, none of which is aws:RequestTag:
- events:detail-type
- events:source
- events:eventBusInvocation
- aws:SourceArn
- aws:SourceAccount
Upvotes: 1
Related Questions
- Capturing events in eventBridge that don't match any rule
- AWS EventBridge : multiple source events for 1 Target
- Is there a way to create aws eventbridge rule to apply for only one resource?
- How to propogate tags to an ECS Task launched from an EventBridge Target?
- AWS EventBridge - is it able to include tag value of instance in the Rule Pattern & the output
- Default vs custom EventBridge bus
- AWS EventBridge Rule Event Pattern
- Schedule events via EventBridge with details
- Amazon EventBridge PutEvents throttling
- Amazon EventBridge Policies for AWS Services as targets using CF/SAM