Different Alibaba Cloud accounts in the same organization or related organizations usually need to exchange events. You can use the cross-account event routing feature of EventBridge to route events from multiple Alibaba Cloud accounts to one Alibaba Cloud account for centralized processing. This topic describes the background information, limits, and procedure for routing events across Alibaba Cloud accounts. This topic also describes how to verify the result.

Background information

In an actual scenario shown in the following figure, Alibaba Cloud accounts A and B belong to the same organization or related organizations. You can route the audit events of the RAM user of Alibaba Cloud account A to the system event bus of Alibaba Cloud account B for centralized processing. You can perform the following steps:

  1. Use Alibaba Cloud account B that receives events to create a RAM role. Set the trusted entity of the RAM role to Alibaba Cloud account A that sends events.
  2. Use Alibaba Cloud account B to grant the RAM role the permissions to publish events. Alibaba Cloud account A can assume the RAM role and has the permissions to publish events to Alibaba Cloud account B.
  3. Use Alibaba Cloud account B to modify the trust policy of the RAM role and attach the policy that is used to grant the permissions to publish events to the Alibaba Cloud services of Alibaba Cloud account B. The Alibaba Cloud services of Alibaba Cloud account B can also assume the RAM role and have the permissions to publish events to Alibaba Cloud account B.
  4. Use Alibaba Cloud account A to create an event rule and route audit events to the system event bus of Alibaba Cloud account B.
Route events across Alibaba Cloud accounts
Note Events from multiple accounts can be routed to the same event bus of an account. The aliyunoriginalaccountid extended field of the events specifies the sources of the events. The account to which the events are routed can filter the events based on the aliyunoriginalaccountid field.

Supported region

The cross-account event routing feature is supported only in the China (Hohhot) region.

Limits

  • You can route events across Alibaba Cloud accounts only in the same region.
  • Events of a system event bus can be routed only to a system event bus.
  • Events of a custom event bus can be routed only to a custom event bus.

Step 1: Create a RAM role

  1. Use Alibaba Cloud account B that receives events to log on to the Resource Access Management (RAM) console.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role panel, select Alibaba Cloud Account for the Trusted entity type parameter and click Next.
  5. Specify the RAM Role Name and Note parameters.
  6. Select Other Alibaba Cloud Account as Select Trusted Alibaba Cloud Account, enter the ID of Alibaba Cloud account A that sends events, and then click OK.

Step 2: Grant permissions to the RAM role

  1. In the left-side navigation pane, click RAM Roles.
  2. On the RAM Roles page, find the RAM role to which you want to grant permissions. Click Add Permissions in the Actions column.
  3. Find and click EventBridgePutEventsPolicy in the Authorization Policy Name column, and click OK.
    Note If the system policies cannot meet your requirements, you can create a custom policy to provide finer-grained access control. This way, you can grant permissions on specific event buses to accounts that send events. For more information, see Create a custom policy.

Step 3: Modify the trust policy

  1. In the left-side navigation pane, click RAM Roles.
  2. On the RAM Roles page, find the specific RAM role and click its name.
  3. Click the Trust Policy Management tab. On this tab, click Edit Trust Policy.
  4. Modify the trust policy and click OK.
    {
        "Statement":[
            {
                "Action":"sts:AssumeRole",
                "Effect":"Allow",
                "Principal":{
                    "Service":[
                        "${Account A}@eventbridge.aliyuncs.com"
                    ]
                }
            }
        ],
        "Version":"1"
    }
    After the trust policy is modified, EventBridge of Alibaba Cloud account A can assume the RAM role.

Step 4: Create an event rule

  1. Log on to the EventBridge console.
  2. In the left-side navigation pane, choose Event-driven Operations > Event Rules.
  3. In the top navigation bar, select a region.
  4. On the Event Rules page, select System Event Bus from the Event Bus drop-down list and click Create Rule.
  5. On the Create Rule page, perform the following steps:
    1. In the Configure Basic Info step, enter a rule name in the Name field and a rule description in the Description field, and click Next Step.
    2. In the Configure Event Pattern step, set the Event Source Type parameter to Alibaba Cloud Service Event Source, select an Alibaba Cloud service from the Event Source drop-down list and an event type from the Event Type drop-down list, specify an event pattern in the Event Pattern Content code editor, and then click Next Step.
    3. In the Configure Targets step, configure an event target. Then, click Create.
      • Service Type: Click EventBridge .
      • Destination Account Type: By default, this parameter is set to Another Alibaba Cloud Account.
      • Account ID: Enter the ID of Alibaba Cloud account B.
      • Event Bus Name: Enter default.
      • Event: By default, this parameter is set to Complete Event. The complete data structure is routed without transformation. The data structure is defined in the CloudEvents 1.0 specification.
      Note You can configure a maximum of five event targets for an event rule.

Verify the result

You can use Alibaba Cloud account B to query events. For more information, see Query events by event ID and Query events by time range.