amazon-web-servicesamazon-iamamazon-sqsaws-event-bridge

EventBridge won't send message to SQS - are my access correctly created?

I have created an EventBus via Cloud Formation and it has a few rules that's supposed to send a message to an SQS. The rules created through the console to troubleshoot works fine but not the ones created through CF. I suspect it might be access related as AWS states the following in the console

Note: When using the EventBridge console, EventBridge will automatically configure the proper permissions for the selected targets. If you're using the AWS CLI, SDK, or CloudFormation, you'll need to configure the proper permissions.

I also have one rule that doesn't work but when I add the same SQS target as target 2 to the same rule, both targets work as intended. When I remove it, the original from CF stops working. I can not see any changes in IAM when adding a rule/target in the console.

I have tried to create a service role for EventBridge in IAM - I was suspecting that to solve the issue but it didn't.

My IAM role created in Cloud Formation (yaml)

  EventBridgeServiceRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: EventBridgeServiceRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          Action: sts:AssumeRole
          Effect: Allow
          Principal:
            Service: events.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess       
        - arn:aws:iam::aws:policy/AmazonSQSFullAccess
        - arn:aws:iam::aws:policy/AWSLambda_FullAccess
        - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess

Any suggestions?

Solution

  • To allow a Rule on your EventBus to deliver to SQS, you need to configure a Resource Based Policy on the SQS Queue. There is more information on this in the EventBridge documentation topic Using resource-based policies for Amazon EventBridge - Amazon SQS permissions

    For example, your queue policy might look like this:

      EventBridgeToToSqsPolicy:
    Type: AWS::SQS::QueuePolicy
    Properties:
      PolicyDocument:
        Statement:
        - Effect: Allow
          Principal:
            Service: events.amazonaws.com
          Action: SQS:SendMessage
          Resource: !GetAtt SQSQueueResource.Arn
      Queues:
        - Ref: SQSQueueResource

    This assumes you don't have an existing policy for the queue, in which case you would need to combine this with the existing statements.