Different Alibaba Cloud accounts in the same organization or related organizations usually need to exchange events. You can use the cross-account event routing feature of EventBridge to route events from multiple Alibaba Cloud accounts to one Alibaba Cloud account for centralized processing. This topic describes the background information, limits, and procedure for routing events across Alibaba Cloud accounts. This topic also describes how to verify the result.

Background information

In an actual scenario shown in the following figure, Alibaba Cloud Account A and B belong to the same organization or related organizations. You can route the audit events of the RAM user of Alibaba Cloud Account A to the default event bus of Alibaba Cloud Account B for centralized processing. You can perform the following steps:

  1. Use Alibaba Cloud Account B that receives events to create a RAM role. Set the trusted entity of the RAM role to Alibaba Cloud Account A that sends events.
  2. Use Alibaba Cloud Account B to grant the RAM role the permissions to publish events. Alibaba Cloud Account A can assume the RAM role and has the permissions to publish events to Alibaba Cloud Account B.
  3. Use Alibaba Cloud Account B to modify the trust policy of the RAM role and attach the policy that is used to grant the permissions to publish events to the Alibaba Cloud services of Alibaba Cloud Account B. The Alibaba Cloud services of Alibaba Cloud Account B can also assume the RAM role and have the permissions to publish events to Alibaba Cloud Account B.
  4. Use Alibaba Cloud Account A to create an event rule and route audit events to the default event bus of Alibaba Cloud Account B.
Route events across Alibaba Cloud accounts
Note Events from multiple accounts can be routed to the same event bus of an account. The aliyunoriginalaccountid extended field of the events specifies the sources of the events. The account to which the events are routed can filter the events based on the aliyunoriginalaccountid field.

Limits

  • You can route events across Alibaba Cloud accounts only in the same region.
  • Events of a default event bus can be routed only to a default event bus. Events of a custom event bus can be routed only to a custom event bus.

Step 1: Create a RAM role

  1. Use Alibaba Cloud Account B that receives events to log on to the Resource Access Management (RAM) console.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the RAM Roles page, click Create RAM Role.
  4. In the Create RAM Role pane, set the Trusted Entity Type parameter to Alibaba Cloud Account, and then click Next.
  5. Configure the RAM role.
    1. Set the RAM Role Name parameter.
    2. Optional:Set the Note parameter.
    3. Select Other Alibaba Cloud Account as Select Trusted Alibaba Cloud Account, enter the ID of Alibaba Cloud Account A that sends events, and then click OK.

Step 2: Grant permissions to the RAM role

  1. Use Alibaba Cloud Account B that receives events to log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, find the RAM role to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM role.
    1. Set the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect on a specific resource group.
        Note If you select Specific Resource Group as the authorization scope, make sure that the cloud service supports resource groups. For more information, see Alibaba Cloud services that support resource groups.
    2. Specify the principal.
      The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.
    3. Select policies.
      Find and click AliyunEventBridgePutEventsPolicy in the Authorization Policy Name column, and click OK.
      Note
      • You can attach a maximum of five policies to a RAM role at a time. If you need to attach more than five policies to a RAM role, perform the operation multiple times.
      • If the system policies cannot meet your requirements, you can create a custom policy to provide finer-grained access control. This way, you can grant permissions on specific event buses to accounts that send events. For more information, see Create a custom policy.

Step 3: Modify the trust policy

  1. Use Alibaba Cloud Account B that receives events to log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the RAM Roles page, find the specific RAM role and click its name.
  4. Click the Trust Policy Management tab. On this tab, click Edit Trust Policy.
  5. Modify the trust policy and click OK.

    The following sample code shows a trust policy:

    {
        "Statement":[
            {
                "Action":"sts:AssumeRole",
                "Effect":"Allow",
                "Principal":{
                    "Service":[
                        "${Account A}@eventbridge.aliyuncs.com"
                    ]
                }
            }
        ],
        "Version":"1"
    }
    After the trust policy is modified, EventBridge of Alibaba Cloud Account A can assume the RAM role.

Step 4: Create an event rule

  1. Log on to the EventBridge console by using Alibaba Cloud Account A.
  2. In the left-side navigation pane, click Event Buses.
  3. In the top navigation bar, select a region.
  4. On the Event Buses page, find the default event bus and click default.
  5. In the left-side navigation pane, click Event Rules.
  6. On the Event Rules page, click Create Rule.
  7. Complete the Create Rule wizard.
    1. In the Configure Basic Info step, enter a rule name in the Name field and a rule description in the Description field, and click Next Step.
    2. In the Configure Event Pattern step, set the Event Source Type parameter to Alibaba Cloud Service Event Source, select an Alibaba Cloud service from the Event Source drop-down list and an event type from the Event Type drop-down list, specify an event pattern in the Event Pattern Content code editor, and then click Next Step.
    3. In the Configure Targets step, configure an event target. Then, click Create.
      • Service Type: Click EventBridge .
      • Destination Account Type: By default, this parameter is set to Another Alibaba Cloud Account.
      • Account ID: Enter the ID of Alibaba Cloud Account B.
      • Event Bus Name: Enter default.
      • Event: By default, this parameter is set to Complete Event. The complete data structure is routed without transformation. The data structure is defined in the CloudEvents 1.0 specification.
      Note You can configure a maximum of five event targets for an event rule.

Verify the result

You can use Alibaba Cloud Account B to query events. For more information, see Query events by event ID.