EventBridge allows you to route events to the same Alibaba Cloud account or another Alibaba Cloud account. You can use event rules to filter events and route the events to EventBridge of the same Alibaba Cloud account or another Alibaba Cloud account. This topic describes the prerequisites, background information, usage notes, and procedure for routing an event to EventBridge.

Background information

Feature 1: Same-account event routing

The following figure shows a scenario for routing events to the same Alibaba Cloud account. In this scenario, the system event bus, Custom Event Bus A, Custom Event Bus B, and Custom Event Bus C all belong to Alibaba Cloud Account A. You can route any event of these event buses to the custom event buses of Alibaba Cloud Account A for centralized processing. Same-account event routing

Feature 2: Cross-account event routing

The following figure shows a scenario for routing events across Alibaba Cloud accounts. In this scenario, Alibaba Cloud Account A and Alibaba Cloud Account B belong to the same organization or two related organizations. You can route any event of the RAM user of Alibaba Cloud Account A to the custom event buses of Alibaba Cloud Account B for centralized processing by performing the following steps:

  1. Create a RAM role by using Alibaba Cloud Account B, the account that is used to receive events. Set the trusted entity of the RAM role to Alibaba Cloud Account A, the account that is used to send events.
  2. Use Alibaba Cloud Account B to grant the RAM role the permissions to publish events. Alibaba Cloud Account A can assume the RAM role and has the permissions to publish events to Alibaba Cloud Account B.
  3. Use Alibaba Cloud Account B to modify the trust policy of the RAM role and attach the policy that is used to grant the permissions to publish events to the services of Alibaba Cloud Account B. The services of Alibaba Cloud Account B can also assume the RAM role and have the permissions to publish events to Alibaba Cloud Account B.
  4. Use Alibaba Cloud Account A to create an event rule and route the event to the custom event buses of Alibaba Cloud Account B.
Cross-account event routing
Note Events from multiple accounts can be routed to the same event bus of an account. The aliyunoriginalaccountid extended field of the events specifies the sources of the events. The account to which the events are routed can filter the events based on the aliyunoriginalaccountid field.

Description

  • Both the same-account event routing feature and the cross-account event routing feature allow you to route events across regions.
  • Events of the system event bus and custom event buses can be routed to only custom event buses.

Route events to the same account

  1. Log on to the EventBridge console. In the left-side navigation pane, click Event Buses.
  2. In the top navigation bar, select a region. On the Event Buses page, click default (System Event Bus).
  3. In the left-side navigation pane, click Event Rules. On the page that appears, click Create Rule.
  4. In the Create Rule wizard, perform the following steps:
    1. In the Configure Basic Info step, configure Name and Description and click Next Step.
    2. In the Configure Event Pattern step, configure the following parameters and click Next Step.
      • Event Source Type: Select Alibaba Cloud Service Event Source.
      • Event Source: Select an Alibaba Cloud service event source.
      • Event Type: Select an event type.
      • Pattern Content: Enter an event pattern.
    3. In the Configure Targets step, configure the following parameters and click Create.
      • Service Type: Select Event Bus.
      • Destination Type: Select Same-account Event Bus.
      • Region: Select the region where the event bus is deployed.
      • Event Bus: Select an event bus to which you want to route the event.
      • Event: By default, this parameter is set to Complete Event. The complete data structure is routed without transformation. The data structure is defined in the CloudEvents 1.0 specification.
      Note You can configure up to five event targets for an event rule.
    You can query an event on the event bus to which you route the event. For more information, see Query events.

Route events across accounts

Step 1: Create a RAM role

  1. Use Alibaba Cloud Account B that receives events to log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role pane, set the Trusted Entity Type parameter to Alibaba Cloud Account, and then click Next.
  5. Configure the RAM role.
    1. Set the RAM Role Name parameter.
    2. Optional:Set the Note parameter.
    3. Select Other Alibaba Cloud Account as Select Trusted Alibaba Cloud Account, enter the ID of Alibaba Cloud Account A that sends events, and then click OK.

Step 2: Grant permissions to the RAM role

  1. Use Alibaba Cloud Account B to log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, find the RAM role to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM role.
    1. Select a type of authorization.
      • Alibaba Cloud Account: The permissions granted to the RAM role take effect within the current Alibaba Cloud account.
      • Specific Resource Group: The permissions granted to the RAM role take effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify a principal.
      The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.
    3. Attach policies to the RAM role.
      Find and click AliyunEventBridgePutEventsPolicy in the Authorization Policy Name column. Click OK.
      Note
      • You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.
      • If the system policies cannot meet your requirements, you can create a custom policy to implement fine-grained access control. This way, you can grant permissions on specific event buses to the accounts that send events. For more information, see Create a custom policy

Step 3: Modify the trust policy

  1. Use Alibaba Cloud Account B to log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the RAM Roles page, find the specific RAM role and click its name.
  4. Click the Trust Policy Management tab. On this tab, click Edit Trust Policy.
  5. Modify the trust policy and click OK.

    The following sample code shows a trust policy:

    {
    "Statement":[
        {
            "Action":"sts:AssumeRole",
            "Effect":"Allow",
            "Principal":{
                "Service":[
                    "${Account A}@eventbridge.aliyuncs.com"
                ]
            }
        }
    ],
    "Version":"1"
}
    After the trust policy is modified, EventBridge of Alibaba Cloud Account A can assume the RAM role.

Step 4: Create an event rule

  1. Log on to the EventBridge console by using Alibaba Cloud Account A. In the left-side navigation pane, click Event Buses.
  2. In the top navigation bar, select a region. On the Event Buses page, click default (System Event Bus).
  3. In the left-side navigation pane, click Event Rules. On the page that appears, click Create Rule.
  4. In the Create Rule wizard, perform the following steps:
    1. In the Configure Basic Info step, configure Name and Description and click Next Step.
    2. In the Configure Event Pattern step, configure the following parameters and click Next Step.
      • Event Source Type: Select Alibaba Cloud Service Event Source.
      • Event Source: Select an Alibaba Cloud service event source.
      • Event Type: Select an event type.
      • Pattern Content: Enter an event pattern.
    3. In the Configure Targets step, configure the following parameters and click Create.
      • Service Type: Select Event Bus.
      • Destination Type: Select Cross-account Event Bus.
      • Region: Select the region where Alibaba Cloud Account B resides.
      • Account ID: Enter the ID of Alibaba Cloud Account B.
      • Event Bus Name: Enter default.
      • Role: Enter the name of the RAM role that you created in the Prerequisites section.
      • Event: By default, this parameter is set to Complete Event. The complete data structure is routed without transformation. The data structure is defined in the CloudEvents 1.0 specification.
      Note You can configure up to five event targets for an event rule.
    You can use Account B to query events. For more information, see Query events.