All Products
Search
Document Center

:Policies and examples

Last Updated:Feb 01, 2024

EventBridge allows you to use Resource Access Management (RAM) to manage permissions. If you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. You can grant the users only the minimum required permissions. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. This topic describes the RAM policies for EventBridge and provides sample custom policies.

Background information

In RAM, a policy is a set of permissions that are described by using the policy syntax and structure. You can use policies to describe the authorized resource sets, authorized action sets, and authorization conditions. For more information, see Policy structure and syntax.

EventBridge supports the following types of RAM policies:

  • System policies

    System policies are created and updated by Alibaba Cloud. You can use these policies, but you cannot modify the policies.

  • Custom policies

    You can create, update, and delete custom policies and maintain the updates of the policies. You can modify custom policies and attach the policies to RAM users in the RAM console.

Usage notes

  • The permissions on API operations that are called to create, delete, update, and query resources are checked on the one-action-over-one-resource basis.

  • During authentication, the system checks the permissions to perform actions on a resource. For example, when you call the UpdateRule operation, the system checks whether you have the permissions to perform the UpdateRule action on eventbus/$eventbus.

System policies

The following table describes the default policies that are provided for EventBridge.

Policy

Description

AliyunEventBridgeFullAccess

The permissions to manage EventBridge. Such permissions are equivalent to the permissions that an Alibaba Cloud account has. A RAM user to which this policy is attached can publish events and use all features of the EventBridge console.

AliyunEventBridgeReadOnlyAccess

The read-only permissions on EventBridge. A RAM user to which this policy is attached can only read resource information in the EventBridge console or by calling API operations.

AliyunEventBridgeResourceCreatePolicy

The permissions to create resources in EventBridge. A RAM user to which this policy is attached can create resources in the EventBridge console or by calling API operations.

AliyunEventBridgeResourceUpdatePolicy

The permissions to modify resources in EventBridge. A RAM user to which this policy is attached can modify resources in the EventBridge console or by calling API operations.

AliyunEventBridgeResourceDeletePolicy

The permissions to delete resources from EventBridge. A RAM user to which this policy is attached can delete resources in the EventBridge console or by calling API operations.

AliyunEventBridgePutEventsPolicy

The permissions to publish events in EventBridge. A RAM user to which this policy is attached can publish events in the EventBridge console or by calling API operations.

Custom policies

You can define custom policies to grant fine-grained permissions to RAM users. The following table describes actions and resources that can be used to define custom policies for EventBridge.

API operation

Action

Resource

CreateEventBus

eventbridge:CreateEventBus

acs:eventbridge:$regionId:$accountId:eventbus/*

GetEventBus

eventbridge:GetEventBus

acs:eventbridge:$regionId:$accountId:eventbus/$eventbus

DeleteEventBus

eventbridge:DeleteEventBus

acs:eventbridge:$regionId:$accountId:eventbus/$eventbus

ListEventBuses

eventbridge:ListEventBuses

acs:eventbridge:$regionId:$accountId:eventbus/*

CreateRule

eventbridge:CreateRule

acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/*

GetRule

eventbridge:GetRule

acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule

UpdateRule

eventbridge:UpdateRule

acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule

EnableRule

eventbridge:EnableRule

acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule

DisableRule

eventbridge:DisableRule

acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule

DeleteRule

eventbridge:DeleteRule

acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule

ListRules

eventbridge:ListRules

acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/*

UpdateTargets

eventbridge:UpdateTargets

acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule

DeleteTargets

eventbridge:DeleteTargets

acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule

ListTargets

eventbridge:ListTargets

acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule

PutEvents

eventbridge:PutEvents

acs:eventbridge:$regionId:$accountId:eventbus/$eventbus

CreateEventStreaming

eventbridge:CreateEventStreaming

acs:eventbridge:$regionId:$accountId:eventstreaming/*

StartEventStreaming

eventbridge:StartEventStreaming

acs:eventbridge:$regionId:$accountId:eventstreaming/$eventstreaming

PauseEventStreaming

eventbridge:PauseEventStreaming

acs:eventbridge:$regionId:$accountId:eventstreaming/$eventstreaming

GetEventStreaming

eventbridge:GetEventStreaming

acs:eventbridge:$regionId:$accountId:eventstreaming/$eventstreaming

UpdateEventStreaming

eventbridge:UpdateEventStreaming

acs:eventbridge:$regionId:$accountId:eventstreaming/$eventstreaming

DeleteEventStreaming

eventbridge:DeleteEventStreaming

acs:eventbridge:$regionId:$accountId:eventstreaming/$eventstreaming

ListEventStreamings

eventbridge:ListEventStreamings

acs:eventbridge:$regionId:$accountId:eventstreaming/*

Sample custom policies

You can use the following code to define a custom policy that is used to authorize RAM users to manage event buses:

{
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "eventbridge:CreateEventBus",
                "eventbridge:GetEventBus",
                "eventbridge:DeleteEventBus",
                "eventbridge:ListEventBuses"
            ],
            "Resource":"acs:eventbridge:*:*:eventbus/*"
        }
    ],
    "Version":"1"
}

You can use the following code to define a custom policy that is used to authorize RAM users to manage event streams:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eventbridge:CreateEventStreaming",
                "eventbridge:StartEventStreaming",
                "eventbridge:GetEventStreaming",
                "eventbridge:DeleteEventStreaming",
                "eventbridge:ListEventStreamings",
                "eventbridge:UpdateEventStreaming",
                "eventbridge:PauseEventStreaming"
            ],
            "Resource": "acs:eventbridge:*:*:eventstreaming/*"
        }
    ]
}