Unlock the Power of AI

1 million free tokens

88% Price Reduction

Activate Now
Home PageEventBridgeUse CasesTutorialRoute events across Alibaba Cloud accounts
Search for Help Content

Route events across Alibaba Cloud accounts

Updated at: 2025-01-14 08:47
Community

In specific cases, different Alibaba Cloud accounts in the same organization or related organizations need to exchange events. You can use the cross-account event routing feature of EventBridge to route events from multiple Alibaba Cloud accounts to one Alibaba Cloud account for centralized processing. This topic describes the background information, limits, and procedure for routing events across Alibaba Cloud accounts. This topic also describes how to verify the result.

Background information

In an actual scenario shown in the following figure, Alibaba Cloud Accounts A and B belong to the same organization or related organizations. You can route the audit events of the Resource Access Management (RAM) user of Alibaba Cloud Account A to the default event bus of Alibaba Cloud Account B for centralized processing by performing the following steps:

  1. Use Alibaba Cloud Account B that receives events to create a RAM role. Set the trusted entity of the RAM role to Alibaba Cloud Account A that sends events.

  2. Use Alibaba Cloud Account B to grant the RAM role the permissions to publish events. Alibaba Cloud Account A can assume the RAM role to obtain the permissions to publish events to Alibaba Cloud Account B.

  3. Use Alibaba Cloud Account B to modify the trust policy of the RAM role and attach the policy that is used to grant the permissions to publish events to the Alibaba Cloud services of Alibaba Cloud Account B. The Alibaba Cloud services of Alibaba Cloud Account B can also assume the RAM role to obtain the permissions to publish events to Alibaba Cloud Account B.

  4. Use Alibaba Cloud Account A to create an event rule and route audit events to the default event bus of Alibaba Cloud Account B.

跨账号路由事件

Note

Events from multiple accounts can be routed to the same event bus of an account. The aliyunoriginalaccountid extended field of the events specifies the sources of the events. The account to which the events are routed can filter the events based on the aliyunoriginalaccountid field.

Limits

  • You can route events across Alibaba Cloud accounts only in the same region.

  • Events of a system event bus can be routed only to a system event bus. Events of a custom event bus can be routed only to a custom event bus.

Step 1: Create a RAM role

  1. Use Alibaba Cloud Account B that receives events to log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role. image

  4. On the Create Role page, select Alibaba Cloud Account in the Select Role Type section and click Next.image

  5. Configure the RAM role.

    1. Configure the RAM Role Name parameter.

    2. (Optional) Configure the Note parameter.

    3. Set the Trusted Alibaba Cloud Account parameter to Other Alibaba Cloud Account, enter the ID of Alibaba Cloud Account A that sends events, and then click OK.

Step 2: Grant permissions to the RAM role

  1. Use Alibaba Cloud Account B that receives events to log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, find the RAM role that you want to manage and click Grant Permission in the Actions column.

    image

    You can also select multiple RAM roles and click Grant Permission in the lower part of the RAM role list to grant permissions to multiple RAM roles at a time.

  4. In the Grant Permission panel, grant permissions to the RAM role.

    1. Specify the authorization scope.

      • Account: The permissions are granted to the current Alibaba Cloud account.

      • ResourceGroup: The permissions are granted to a specific resource group.

        Note

        If you select ResourceGroup for the Resource Scope parameter, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.

    2. Specify the principal.

      The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.

    3. Select the policy.

      In the Policy section, find and select AliyunEventBridgePutEventsPolicy. Then, click Grant permissions.

      Note

      • You can attach up to five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.

      • If the system policies cannot meet your requirements, you can create a custom policy to implement fine-grained access control. This way, you can grant permissions on specific event buses to the accounts that send events. For more information, see Create custom policies.

Step 3: Modify the trust policy

  1. Use Alibaba Cloud Account B that receives events to log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click the name of the RAM role that you created.

  4. On the Trust Policy tab, click Edit Trust Policy.

    image

  5. Modify the content of the trust policy and click Save trust policy document.

    The following sample code provides an example of trust policies:

    {
    "Statement":[
        {
            "Action":"sts:AssumeRole",
            "Effect":"Allow",
            "Principal":{
                "Service":[
                    "${Account A}@eventbridge.aliyuncs.com"
                ]
            }
        }
    ],
    "Version":"1"
}

    After you modify the trust policy, EventBridge of Alibaba Cloud Account A can assume the RAM role.

Step 4: Create an event rule

  1. Use the Alibaba Cloud Account A that sends events to log on to the EventBridge console.

  2. In the left-side navigation pane, click Event Buses.
  3. In the top navigation bar, select a region.

  4. On the Event Buses page, find the system event bus and click its name default.

  5. In the left-side navigation pane, click Event Rules.

  6. In the left-side navigation pane, click Event Rules. On the page that appears, click Create Rule.

  7. In the Create Rule wizard, perform the following steps:

    1. In the Configure Basic Info step, enter a rule name in the Name field and a rule description in the Description field. Then, click Next Step.

    2. In the Configure Event Pattern step, set the Event Source Type parameter to Alibaba Cloud Service Event Source, select an Alibaba Cloud service from the Event Source drop-down list and an event type from the Event Type drop-down list, specify an event pattern in the Event Pattern Content code editor, and then click Next Step.

    3. In the Configure Targets step, configure an event target. Then, click Create.

      • Service Type: Click EventBridge.

      • Destination Account Type: This parameter is automatically set to Another Alibaba Cloud Account.

      • Account ID: Enter the ID of Alibaba Cloud Account B that receives events.

      • Event Bus Name: Enter default.

      • Event: This parameter is automatically set to Complete Event. The complete data structure is routed without transformation. The data structure is defined in the CloudEvents 1.0 specification.

      Note

      You can configure up to five event targets for an event rule.

Verify the result

You can use Alibaba Cloud Account B that receives events to query events. For more information, see Query events.

Previous: Push events from ApsaraMQ for MQTT to Function ComputeNext: Security and Compliance
  • On this page (1, T)
  • Background information
  • Limits
  • Step 1: Create a RAM role
  • Step 2: Grant permissions to the RAM role
  • Step 3: Modify the trust policy
  • Step 4: Create an event rule
  • Verify the result
Feedback
phone Contact Us

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

alicare alicarealicarealicare