3

Is it possible to configure tag-based policies for the EventBridge PutEvents action?

My hope was that, based on tags in an IAM role, I could control which roles have access to PutEvents on specific event buses. I have attempted to do this with the following resource policy:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "allow_tags_to_put_events",
    "Effect": "Allow",
    "Principal": "*",
    "Action": "events:PutEvents",
    "Resource": "<event-bus-arn>",
    "Condition": {
      "StringEquals": {
        "aws:RequestTag/stage": "test"
      }
    }
  }]
}

This would allow any IAM role tagged with stage=test to be able to PutEvents. But this doesn't appear to be working. Reading this https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridge.html suggests that maybe PutEvents doesn't support the aws:RequestTag condition, but SOME of the actions do, which seems extremely odd to me.

Jon Nichols
  • 2,211
  • 1
  • 20
  • 21

1 Answers1

1

which seems extremely odd to me.

Its not odd. Its rather common that some condition keys apply to only specific actions, and not others.

So you already answered your own question. PutEvents action supports only few keys, none of which is aws:RequestTag:

  • events:detail-type
  • events:source
  • events:eventBusInvocation
  • aws:SourceArn
  • aws:SourceAccount
Marcin
  • 215,873
  • 14
  • 235
  • 294
  • I guess I considered it odd because it seems like the action where tag-based access would be most useful. EventBridge supports some request tag access, but not on the action that seems most useful. That is what I found odd, and wondered if it was a mistake. I guess not. – Jon Nichols Apr 15 '21 at 17:39
  • @JonNichols I understand. You have to get used to it. AWS very inconsistent, especially in IAM rules. – Marcin Apr 16 '21 at 00:02