0

I want to allow some EventBridge rules (CloudWatch Events) that start with a syntax to perform an action on the lambda. But I wouldn't want to create a permission for every rule I add starting with such syntax.

I created this relationship policy, which should allow any rule whose name starts with prefix_, but it doesn't work.

{
  "Sid": "EventsPrefix",
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": "lambda:InvokeFunction",
  "Resource": "arn:aws:lambda:us-east-1:<<<ACCOUNT_ID>>>:function:<<<LAMBDA_NAME>>>",
  "Condition": {
    "ArnLike": {
      "AWS:SourceArn": "arn:aws:events:us-east-1:<<<ACCOUNT_ID>>>:rule/prefix_*"
    }
  }
}

However, of course, if I specify the full ARN it works.

{
  "Sid": "EventsPrefix",
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": "lambda:InvokeFunction",
  "Resource": "arn:aws:lambda:us-east-1:<<<ACCOUNT_ID>>>:function:<<<LAMBDA_NAME>>>",
  "Condition": {
    "ArnLike": {
      "AWS:SourceArn": "arn:aws:events:us-east-1:<<<ACCOUNT_ID>>>:rule/prefix_123"
    }
  }
}

So, is there any way to allow performing actions by passing a part of the ARN?

Cava
  • 5,346
  • 4
  • 25
  • 41
  • Does this answer your question? [Is it possible to specify a pattern for an AWS role Trust Relationship](https://stackoverflow.com/questions/53429229/is-it-possible-to-specify-a-pattern-for-an-aws-role-trust-relationship) – Stéphane Bruckert Feb 09 '23 at 14:29
  • @StéphaneBruckert It's similar, but this one is for **iam**, which really works, but my question is for **lambda**. – Cava Feb 10 '23 at 02:29
  • so `StringLike` with `PrincipalArn` works? – Stéphane Bruckert Feb 10 '23 at 03:52

0 Answers0