EventBridge allows you to use Resource Access Management (RAM) to manage permissions. If you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. You can grant the users only the minimum required permissions. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. This topic describes the RAM policies for EventBridge and provides sample custom policies.
Background information
In RAM, a policy is a set of permissions that are described by using the policy syntax and structure. You can use policies to describe the authorized resource sets, authorized action sets, and authorization conditions. For more information, see Policy structure and syntax.
EventBridge supports the following types of RAM policies:
System policies are created and updated by Alibaba Cloud. You can use these policies, but you cannot modify the policies.
You can create, update, and delete custom policies and maintain the updates of the policies. You can modify custom policies and attach the policies to RAM users in the RAM console.
Usage notes
The permissions on API operations that are called to create, delete, update, and query resources are checked on the one-action-over-one-resource basis.
During authentication, the system checks the permissions to perform actions on a resource. For example, when you call the UpdateRule operation, the system checks whether you have the permissions to perform the UpdateRule action on
eventbus/$eventbus
.
System policies
The following table describes the default policies that are provided for EventBridge.
Policy | Description |
AliyunEventBridgeFullAccess | The permissions to manage EventBridge. Such permissions are equivalent to the permissions that an Alibaba Cloud account has. A RAM user to which this policy is attached can publish events and use all features of the EventBridge console. |
AliyunEventBridgeReadOnlyAccess | The read-only permissions on EventBridge. A RAM user to which this policy is attached can only read resource information in the EventBridge console or by calling API operations. |
AliyunEventBridgeResourceCreatePolicy | The permissions to create resources in EventBridge. A RAM user to which this policy is attached can create resources in the EventBridge console or by calling API operations. |
AliyunEventBridgeResourceUpdatePolicy | The permissions to modify resources in EventBridge. A RAM user to which this policy is attached can modify resources in the EventBridge console or by calling API operations. |
AliyunEventBridgeResourceDeletePolicy | The permissions to delete resources from EventBridge. A RAM user to which this policy is attached can delete resources in the EventBridge console or by calling API operations. |
AliyunEventBridgePutEventsPolicy | The permissions to publish events in EventBridge. A RAM user to which this policy is attached can publish events in the EventBridge console or by calling API operations. |
Custom policies
You can define custom policies to grant fine-grained permissions to RAM users. The following table describes actions and resources that can be used to define custom policies for EventBridge.
API operation | Action | Resource |
CreateEventBus | eventbridge:CreateEventBus | acs:eventbridge:$regionId:$accountId:eventbus/* |
GetEventBus | eventbridge:GetEventBus | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus |
DeleteEventBus | eventbridge:DeleteEventBus | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus |
ListEventBuses | eventbridge:ListEventBuses | acs:eventbridge:$regionId:$accountId:eventbus/* |
CreateRule | eventbridge:CreateRule | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/* |
GetRule | eventbridge:GetRule | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
UpdateRule | eventbridge:UpdateRule | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
EnableRule | eventbridge:EnableRule | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
DisableRule | eventbridge:DisableRule | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
DeleteRule | eventbridge:DeleteRule | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
ListRules | eventbridge:ListRules | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/* |
UpdateTargets | eventbridge:UpdateTargets | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
DeleteTargets | eventbridge:DeleteTargets | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
ListTargets | eventbridge:ListTargets | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
PutEvents | eventbridge:PutEvents | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus |
CreateEventStreaming | eventbridge:CreateEventStreaming | acs:eventbridge:$regionId:$accountId:eventstreaming/* |
StartEventStreaming | eventbridge:StartEventStreaming | acs:eventbridge:$regionId:$accountId:eventstreaming/$eventstreaming |
PauseEventStreaming | eventbridge:PauseEventStreaming | acs:eventbridge:$regionId:$accountId:eventstreaming/$eventstreaming |
GetEventStreaming | eventbridge:GetEventStreaming | acs:eventbridge:$regionId:$accountId:eventstreaming/$eventstreaming |
UpdateEventStreaming | eventbridge:UpdateEventStreaming | acs:eventbridge:$regionId:$accountId:eventstreaming/$eventstreaming |
DeleteEventStreaming | eventbridge:DeleteEventStreaming | acs:eventbridge:$regionId:$accountId:eventstreaming/$eventstreaming |
ListEventStreamings | eventbridge:ListEventStreamings | acs:eventbridge:$regionId:$accountId:eventstreaming/* |
Sample custom policies
You can use the following code to define a custom policy that is used to authorize RAM users to manage event buses:
{
"Statement":[
{
"Effect":"Allow",
"Action":[
"eventbridge:CreateEventBus",
"eventbridge:GetEventBus",
"eventbridge:DeleteEventBus",
"eventbridge:ListEventBuses"
],
"Resource":"acs:eventbridge:*:*:eventbus/*"
}
],
"Version":"1"
}
You can use the following code to define a custom policy that is used to authorize RAM users to manage event streams:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eventbridge:CreateEventStreaming",
"eventbridge:StartEventStreaming",
"eventbridge:GetEventStreaming",
"eventbridge:DeleteEventStreaming",
"eventbridge:ListEventStreamings",
"eventbridge:UpdateEventStreaming",
"eventbridge:PauseEventStreaming"
],
"Resource": "acs:eventbridge:*:*:eventstreaming/*"
}
]
}