Alibaba Cloud provides Resource Access Management (RAM), which allows you to manage permissions on EventBridge. When you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. Instead, you can grant them only the minimal required permissions. An AccessKey pair includes an AccessKey ID and an AccessKey secret. This topic describes the RAM policies for EventBridge and provides a sample custom policy.

Background information

In RAM, a policy is a set of permissions that are described in the policy syntax and structure. A policy accurately describes the authorized resource set, action set, and authorization conditions. For more information, see Policy structure and syntax.

EventBridge supports the following types of RAM policies:

  • System policies

    System policies are created by Alibaba Cloud. You can use these policies. However, you cannot modify these policies. The policy updates are maintained by Alibaba Cloud.

  • Custom policies

    You can create, update, and delete custom policies and maintain the updates of the policies. You can edit custom policies and attach them to RAM users in the RAM console.

Usage notes

  • The permissions on API operations called to create, delete, update, and query resources are checked on the one-action-over-one-resource basis.
  • During authentication, the system checks the permissions to perform actions on the resource. For example, when you call the UpdateRule operation, the system checks whether you have the permissions to perform the eventbridge:UpdateRule action on eventbus/$eventbus.

System policies

The following table describes the default policies that are provided for EventBridge.

Policy Description
AliyunEventBridgeFullAccess The permissions to manage EventBridge. Such permissions are equivalent to the permissions that an Alibaba Cloud account has. A RAM user to which this policy is attached can publish events and use all the features of the EventBridge console.
AliyunEventBridgeReadOnlyAccess The read-only permissions on EventBridge. A RAM user to which this policy is attached can only read resource information in the EventBridge console or by calling API operations.
EventBridgeResourceCreatePolicy The permissions to create resources in EventBridge. A RAM user to which this policy is attached can create resources in the EventBridge console or by calling API operations.
EventBridgeResourceUpdatePolicy The permissions to edit resources in EventBridge. A RAM user to which this policy is attached can edit resources in the EventBridge console or by calling API operations.
EventBridgeResourceDeletePolicy The permissions to delete resources from EventBridge. A RAM user to which this policy is attached can delete resources in the EventBridge console or by calling API operations.
EventBridgePutEventsPolicy The permissions to publish events in EventBridge. A RAM user to which this policy is attached can publish events in the EventBridge console or by calling API operations.

Custom policies

You can define custom policies to grant fine-grained permissions to RAM users. The following table describes the actions and resources that can be used to define custom policies for EventBridge.

Operation Action Resource
CreateEventBus eventbridge:CreateEventBus acs:eventbridge:$regionId:$accountId:eventbus/*
GetEventBus eventbridge:GetEventBus acs:eventbridge:$regionId:$accountId:eventbus/$eventbus
DeleteEventBus eventbridge:DeleteEventBus acs:eventbridge:$regionId:$accountId:eventbus/$eventbus
ListEventBuses eventbridge:ListEventBuses acs:eventbridge:$regionId:$accountId:eventbus/*
CreateRule eventbridge:CreateRule acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/*
GetRule eventbridge:GetRule acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
UpdateRule eventbridge:UpdateRule acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
EnableRule eventbridge:EnableRule acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
DisableRule eventbridge:DisableRule acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
DeleteRule eventbridge:DeleteRule acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
ListRules eventbridge:ListRules acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/*
UpdateTargets eventbridge:UpdateTargets acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
DeleteTargets eventbridge:DeleteTargets acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
ListTargets eventbridge:ListTargets acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule
PutEvents eventbridge:PutEvents acs:eventbridge:$regionId:$accountId:eventbus/$eventbus

Sample custom policy

You can use the following code to define a custom policy that is used to authorize RAM users to manage event buses:

{
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "eventbridge:CreateEventBus",
                "eventbridge:GetEventBus",
                "eventbridge:DeleteEventBus",
                "eventbridge:ListEventBuses"
            ],
            "Resource":"acs:eventbridge:*:*:eventbus/*"
        }
    ],
    "Version":"1"
}