amazon-iamaws-cdkaws-event-bridgeuserprincipal

Cannot grant permission to EventBridge bus


I am creating a custom bus in AWS EventBridge via CDK:

    export class EventbridgeStack extends Stack {
      constructor(scope: Construct, id: string, props?: StackProps) {
        super(scope, id, props);
    
        const targetCoreBus = new events.EventBus(this, 'TargetCoreBus', {
          eventBusName: 'TargetCoreBus',
        });
    
        targetCoreBus.grantPutEventsTo(new iam.AccountPrincipal('1234567890'));
    
      }
    }

The bus is created fine, but I assumed the line

    targetCoreBus.grantPutEventsTo(new iam.AccountPrincipal('1234567890'));

Would add policy to the bus that would allow specified account to put events into it. But it doesn't seem to do anything, nothing new is synthesized in the stack, no policy is added to the bus. Is it expected, am I doing something wrong?


Solution

  • grantPutEventsTo adds an inline, identity-based policy to the Grantee. For instance, targetCoreBus.grantPutEventsTo(MyLambda) would add a AWS::IAM::Policy to the Lambda's execution role.

    You want to add the account principal to the Bus' resource-based policy. The CfnEventBusPolicy construct will do just that:

    new events.CfnEventBusPolicy(this, 'CustomBusResoucePolicy', {
      statementId: 'Cross-Account-Bus-20220509',
      action: 'events:PutEvents',
      principal: '123456789012',
      eventBusName: targetCoreBus.eventBusName,
      condition: {...},
    });