Alibaba Cloud provides Resource Access Management (RAM), which allows you to manage permissions on EventBridge. When you use RAM, you do not need to share the AccessKey pair of your Alibaba Cloud account with other users. Instead, you can grant them only the minimal required permissions. An AccessKey pair includes an AccessKey ID and an AccessKey secret. This topic describes the RAM policies for EventBridge and provides a sample custom policy.
Background information
EventBridge supports the following types of RAM policies:
- System policies
System policies are created by Alibaba Cloud. You can use these policies. However, you cannot modify these policies. The policy updates are maintained by Alibaba Cloud.
- Custom policies
You can create, update, and delete custom policies and maintain the updates of the policies. You can edit custom policies and attach them to RAM users in the RAM console.
Usage notes
- The permissions on API operations called to create, delete, update, and query resources are checked on the one-action-over-one-resource basis.
- During authentication, the system checks the permissions to perform actions on the
resource. For example, when you call the UpdateRule operation, the system checks whether
you have the permissions to perform the eventbridge:UpdateRule action on
eventbus/$eventbus.
System policies
The following table describes the default policies that are provided for EventBridge.
| Policy | Description |
|---|---|
| AliyunEventBridgeFullAccess | The permissions to manage EventBridge. Such permissions are equivalent to the permissions that an Alibaba Cloud account has. A RAM user to which this policy is attached can publish events and use all the features of the EventBridge console. |
| AliyunEventBridgeReadOnlyAccess | The read-only permissions on EventBridge. A RAM user to which this policy is attached can only read resource information in the EventBridge console or by calling API operations. |
| AliyunEventBridgeResourceCreatePolicy | The permissions to create resources in EventBridge. A RAM user to which this policy is attached can create resources in the EventBridge console or by calling API operations. |
| AliyunEventBridgeResourceUpdatePolicy | The permissions to edit resources in EventBridge. A RAM user to which this policy is attached can edit resources in the EventBridge console or by calling API operations. |
| AliyunEventBridgeResourceDeletePolicy | The permissions to delete resources from EventBridge. A RAM user to which this policy is attached can delete resources in the EventBridge console or by calling API operations. |
| AliyunEventBridgePutEventsPolicy | The permissions to publish events in EventBridge. A RAM user to which this policy is attached can publish events in the EventBridge console or by calling API operations. |
Custom policies
You can define custom policies to grant fine-grained permissions to RAM users. The following table describes the actions and resources that can be used to define custom policies for EventBridge.
| Operation | Action | Resource |
|---|---|---|
| CreateEventBus | eventbridge:CreateEventBus | acs:eventbridge:$regionId:$accountId:eventbus/* |
| GetEventBus | eventbridge:GetEventBus | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus |
| DeleteEventBus | eventbridge:DeleteEventBus | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus |
| ListEventBuses | eventbridge:ListEventBuses | acs:eventbridge:$regionId:$accountId:eventbus/* |
| CreateRule | eventbridge:CreateRule | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/* |
| GetRule | eventbridge:GetRule | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
| UpdateRule | eventbridge:UpdateRule | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
| EnableRule | eventbridge:EnableRule | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
| DisableRule | eventbridge:DisableRule | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
| DeleteRule | eventbridge:DeleteRule | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
| ListRules | eventbridge:ListRules | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/* |
| UpdateTargets | eventbridge:UpdateTargets | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
| DeleteTargets | eventbridge:DeleteTargets | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
| ListTargets | eventbridge:ListTargets | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus/rule/$rule |
| PutEvents | eventbridge:PutEvents | acs:eventbridge:$regionId:$accountId:eventbus/$eventbus |
Sample custom policy
You can use the following code to define a custom policy that is used to authorize RAM users to manage event buses:
{
"Statement":[
{
"Effect":"Allow",
"Action":[
"eventbridge:CreateEventBus",
"eventbridge:GetEventBus",
"eventbridge:DeleteEventBus",
"eventbridge:ListEventBuses"
],
"Resource":"acs:eventbridge:*:*:eventbus/*"
}
],
"Version":"1"
}