EventBridge uses Alibaba Cloud Resource Access Management (RAM) to manage permissions. When you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. Instead, you can grant them only the minimal required permissions. An AccessKey pair includes an AccessKey ID and an AccessKey secret. This topic describes the RAM policies for EventBridge and provides a sample custom policy.

Background information

In RAM, a policy is a set of permissions that are described in the policy syntax and structure. A policy accurately describes the authorized resource set, action set, and authorization conditions. For more information, see Policy structure and syntax.

EventBridge supports the following types of RAM policies:

  • System policies

    System policies are created by Alibaba Cloud. You can use these policies. However, you cannot modify these policies. The policy updates are maintained by Alibaba Cloud.

  • Custom policies

    You can create, update, and delete custom policies and maintain version updates of the policies. You can edit custom policies and attach them to RAM users in the RAM console.

Usage notes

  • The permissions on API operations called to create, delete, update, and query resources are checked on the one-action-over-one-resource basis.
  • During authentication, the system checks the permissions to perform actions on the resource. For example, when you call the UpdateRule operation, the system checks whether you have the permission to perform the eventbridge:UpdateRule action on eventbus/$eventbus.

System policies

The following table describes the default permission policies that are provided for EventBridge.

Policy Description
AliyunEventBridgeFullAccess The permissions to manage EventBridge, which are equivalent to the permissions that the Alibaba Cloud account has. A RAM user to which this policy is attached can send and subscribe to all messages and use all the features of the console.
AliyunEventBridgeReadOnlyAccess The read-only permissions on EventBridge. A RAM user to which this policy is attached can only read resource information in the console or by calling API operations.
EventBridgeResourceCreatePolicy The permissions to create resources in EventBridge. A RAM user to which this policy is attached can create resources by using all the resources of the Alibaba Cloud account in the console or by calling API operations.
EventBridgeResourceUpdatePolicy The permissions to edit resources in EventBridge. A RAM user to which this policy is attached can edit resources only in the console or by calling API operations.
EventBridgeResourceDeletePolicy The permissions to delete resources from EventBridge. A RAM user to which this policy is attached can delete resources only in the console or by calling API operations.
EventBridgePutEventsPolicy The permissions to publish events in EventBridge. A RAM user to which this policy is attached can publish events only in the console or by calling API operations.

Custom policies

Custom policies allow you to grant fine-grained permissions to RAM users. The following table describes the actions and resources that can be used to define custom policies for EventBridge.

API Action Resource
CreateEventBus eventbridge:CreateEventBus acs:eventbridge:$regionId:$accountId:eventbus/*
GetEventBus eventbridge:GetEventBus acs:eventbridge:$regionId:$accountId:eventbus/$eventbus
DeleteEventBus eventbridge:DeleteEventBus acs:eventbridge:$regionId:$accountId:eventbus/$eventbus
ListEventBuses eventbridge:ListEventBuses acs:eventbridge:$regionId:$accountId:eventbus/*
CreateRule eventbridge:CreateRule acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/*
GetRule eventbridge:GetRule acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
UpdateRule eventbridge:UpdateRule acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
EnableRule eventbridge:EnableRule acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
DisableRule eventbridge:DisableRule acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
DeleteRule eventbridge:DeleteRule acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
ListRules eventbridge:ListRules acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/*
UpdateTargets eventbridge:UpdateTargets acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
DeleteTargets eventbridge:DeleteRule acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
ListTargets eventbridge:ListTargets acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
PutEvents eventbridge:PutEvents acs:eventbridge:$regionId:$accountId:eventbus/$eventbus

Sample custom policy

Custom policy used to grant the permissions to manage event buses:

{
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "eventbridge:CreateEventBus",
                "eventbridge:GetEventBus",
                "eventbridge:DeleteEventBus",
                "eventbridge:ListEventBuses"
            ],
            "Resource":"acs:eventbridge:*:*:eventbus/*"
        }
    ],
    "Version":"1"
}