Activate EventBridge and grant RAM user permissions - EventBridge

Before you use EventBridge, activate EventBridge on the product page. If you are a RAM user, the Alibaba Cloud account must grant you permissions to access EventBridge resources through the console or API and route events using an SDK.

Prerequisites

You have an Alibaba Cloud account.

Step 1: Activate EventBridge

Log on to the Alibaba Cloud official website and choose Product > Middleware > Application Integration > EventBridge.
On the EventBridge product page, click Open now.
Read the EventBridge (Pay-as-you-go) Terms of Service, select the check box, and click Open now.

You are redirected to the EventBridge console.

Step 2: Grant permissions to a RAM user

Console

The RAM console provides two entry points for granting permissions to RAM users, both supporting single and bulk authorization:

From the Users page: Select target users from the list. The panel automatically sets them as principals.
From the Authorization page: Manually select the principals. This page shows all authorization records in your account.

Note

Best practice for bulk management: To grant identical permissions to multiple RAM users, add them to a user group and grant permissions to the user group. Go to Identities > User Groups in the console.

Start from the Users page

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user and click Attach Policy in the Actions column.

You can also select multiple RAM users and click Attach Policy below the user list to grant permissions in bulk.
In the Add Permissions panel, configure the permissions.
- Select a Resource scope:
  - Entire account: Permissions apply to all resources in the current Alibaba Cloud account. Use this option when resource group isolation is not required.
  - Specific resource group: Permissions apply only to resources in the selected resource group. Use this option for multi-team environments that require resource group isolation. RAM users must switch to the resource group in the top navigation bar to access and manage its resources.
    Note
    
    The system automatically flags high-risk policies such as AdministratorAccess and AliyunRAMFullAccess, which typically grant full control over all cloud resources or full permissions to manage access control (RAM). Grant them with caution.
    
    Example: Use a resource group to control a RAM user's access to specific ECS instances.
- Select a Principal:
  
  The principal is the RAM user to whom you grant permissions. If you started from the Users page, the current user is automatically selected. If you started from the Authorization page, select the users manually. You can select multiple users.
- Select a Policy:
  - System policy: Search for and select a policy. You can search by product name (for example, ECS or OSS), permission level (for example, ReadOnly or FullAccess), or policy name.
  - Custom policy: You must create a custom policy before you can grant it.
- (Optional) Enter Notes: Add a note explaining the authorization purpose, such as "Special authorization for OSS upload tasks", to simplify future audits.
- Submit the authorization: Click OK.
Review the authorization result and click Close.

Start from the Authorization page

Log on to the RAM console.
In the left-side navigation pane, choose Permissions > Authorization.
On the Authorization page, click Add Permissions.
In the Add Permissions panel, grant permissions to the RAM user. The configuration is the same as in the previous section.
Review the authorization result and click Close.

API

Grant a custom policy

Call the CreatePolicy operation to create a custom policy. Elements of a RAM policy and Overview of policy examples.
Call the AttachPolicyToUser operation to grant account-level permissions to the RAM user. Set the PolicyType parameter to Custom.

Alternatively, call the AttachPolicy operation to grant resource-group-level permissions.

Grant a system policy

Call the AttachPolicyToUser operation to attach the policy to the specified RAM user. Set the PolicyType parameter to System. Valid PolicyName values are listed in the System policy reference.
Alternatively, call the AttachPolicy operation to grant resource-group-level permissions to the RAM user.

EventBridge provides the following system policies. Grant them to RAM users as needed.

Policy	Description
AliyunEventBridgeFullAccess	The permissions to manage EventBridge. Such permissions are equivalent to the permissions that an Alibaba Cloud account has. A RAM user to which this policy is attached can publish events and use all features of the EventBridge console.
AliyunEventBridgeReadOnlyAccess	The read-only permissions on EventBridge. A RAM user to which this policy is attached can only read resource information in the EventBridge console or by calling API operations.
AliyunEventBridgeResourceCreatePolicy	The permissions to create resources in EventBridge. A RAM user to which this policy is attached can create resources in the EventBridge console or by calling API operations.
AliyunEventBridgeResourceUpdatePolicy	The permissions to modify resources in EventBridge. A RAM user to which this policy is attached can modify resources in the EventBridge console or by calling API operations.
AliyunEventBridgeResourceDeletePolicy	The permissions to delete resources from EventBridge. A RAM user to which this policy is attached can delete resources in the EventBridge console or by calling API operations.
AliyunEventBridgePutEventsPolicy	The permissions to publish events in EventBridge. A RAM user to which this policy is attached can publish events in the EventBridge console or by calling API operations.

Note

System policies grant broad permissions. For example, AliyunEventBridgeFullAccess grants full permissions on all EventBridge resources. For fine-grained control, EventBridge supports Custom policy.

Next steps

Click Console to start creating resources. Event source overview.