Permissions for lambda to create event events:PutEvents-CodePudding

I want to have a lambda creating EventBridge events but I get this error when calling the lambda:

User: arn:aws:sts::120293923901:assumed-role/MyApiOrdersPostFunct-I1QOYC7P1R0Z/MyApiOrdersPostFunct-SJtAeYoiaguW is not authorized to perform: events:PutEvents on resource: arn:aws:events:eu-north-1:120293923901:event-bus/MyApiEventBus because no identity-based policy allows the events:PutEvents action

I've added policies but no change.

Here is the lambda calling eventbridge.


import { APIGatewayProxyHandler, APIGatewayProxyResult } from 'aws-lambda';
import { EventBridgeClient, PutEventsCommand } from '@aws-sdk/client-eventbridge';

const eventBridge = new EventBridgeClient({ region: 'eu-north-1' });

export const post: APIGatewayProxyHandler = async (): Promise<APIGatewayProxyResult> => {
    const event = new PutEventsCommand({
        Entries: [{
            EventBusName: 'MyApiEventBus',
            Source: 'MyApiEventBus.OrderCreated',
            DetailType: 'OrderCreated',
            Detail: JSON.stringify({ description: 'order has been created' }),
        }]
    });
        eventBridge.send(event);

    return {
        statusCode: 200,
        body: '',
    };
};

Here is the CDK config. There are two policies (attachInlinePolicy, addToRolePolicy) because I tested both.

import {
    RestApi,
    DomainName,
    BasePathMapping,
    LambdaIntegration,
    Model,
} from '@aws-cdk/aws-apigateway';
import { EventBus, Rule } from '@aws-cdk/aws-events';
import { NodejsFunction } from '@aws-cdk/aws-lambda-nodejs';
import { Policy, PolicyStatement } from '@aws-cdk/aws-iam';

const MyApi = new RestApi(this, `RestApi`, {
  restApiName: 'My API',
  description: 'The My API',
});

// Add an Event Bus
const bus = new EventBus(this, `EventBus`, {
  eventBusName: 'MyApiEventBus',
});

// Add API endpoint
const ordersResource = MyApi.root.addResource('orders');

const ordersPostFunction = new NodejsFunction(this, `OrdersPostFunction`, {
  entry: './lambda.ts',
  handler: 'post',
});

// Allow lambda to create events
ordersPostFunction.addToRolePolicy(
  new PolicyStatement({
    actions: ['events:PutEvents'],
    resources: [bus.eventBusArn],
  }),
);

ordersPostFunction.role?.attachInlinePolicy(
  new Policy(this, `OrdersPostEventBusPolicy`, {
    statements: [
      new PolicyStatement({
        actions: ['events:PutEvents'],
        resources: [bus.eventBusArn],
      }),
    ],
  }),
);

// Role to allow for creating event (not working?)
bus.grantPutEventsTo(ordersPostFunction);

Lambda role document

{
  "sdkResponseMetadata": null,
  "sdkHttpMetadata": null,
  "partial": false,
  "permissionsBoundary": null,
  "policies": [
    {
      "arn": null,
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "events:PutEvents",
            "Resource": "arn:aws:events:eu-west-1:120293923901:event-bus/MyApiEventBus",
            "Effect": "Allow"
          }
        ]
      },
      "id": null,
      "name": "MyApiOrdersPostEventBusPolicyACA51C2D",
      "type": "inline"
    },
    {
      "arn": null,
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "events:PutEvents",
            "Resource": "arn:aws:events:eu-west-1:120293923901:event-bus/MyApiEventBus",
            "Effect": "Allow"
          }
        ]
      },
      "id": null,
      "name": "MyApiOrdersPostFunctionServiceRoleDefaultPolicyE7615F17",
      "type": "inline"
    },

CodePudding user response：

Your Event Bus is located in the eu-west-1 region, as shown by the generated policy, but you're trying to access it from eu-north-1. Change the region and it will work.