All Products
Search

This Product

    EventBridge:Route events to EventBridge

    Document Center

    EventBridge:Route events to EventBridge

    Last Updated:Jan 14, 2025

    EventBridge allows you to route events to the same Alibaba Cloud account or another Alibaba Cloud account. You can use event rules to filter events and route the events to EventBridge of the same Alibaba Cloud account or another Alibaba Cloud account. This topic describes the prerequisites, background information, usage notes, and procedure for routing an event to EventBridge.

    Before you start

    Activate EventBridge and grant permissions to a Resource Access Management (RAM) user

    Background information

    Feature 1: Same-account event routing

    The following figure shows a scenario in which events are routed to the same Alibaba Cloud account. In this scenario, the system event bus, Custom Event Bus A, Custom Event Bus B, and Custom Event Bus C all belong to Alibaba Cloud Account A. You can route any event of these event buses to the custom event buses of Alibaba Cloud Account A for centralized processing.同账号路由

    Feature 2: Cross-account event routing

    The following figure shows a scenario in which events are routed across Alibaba Cloud accounts. In this scenario, Alibaba Cloud Account A and Alibaba Cloud Account B belong to the same organization or two related organizations. You can route any event of the RAM user of Alibaba Cloud Account A to the custom event buses of Alibaba Cloud Account B for centralized processing by performing the following steps:

    1. Use Alibaba Cloud Account B that receives events to create a RAM role. Set the trusted entity of the RAM role to Alibaba Cloud Account A that sends events.

    2. Use Alibaba Cloud Account B that receives events to grant the RAM role the permissions to publish events. Alibaba Cloud Account A can assume the RAM role to obtain the permissions to publish events to Alibaba Cloud Account B.

    3. Use Alibaba Cloud Account B that receives events to modify the trust policy of the RAM role and attach the policy that is used to grant the permissions to publish events to the Alibaba Cloud services of Alibaba Cloud Account B. The Alibaba Cloud services of Alibaba Cloud Account B can also assume the RAM role and have the permissions to publish events to Alibaba Cloud Account B.

    4. Use Alibaba Cloud Account A that sends events to create an event rule and route the event to the custom event buses of Alibaba Cloud Account B.

    跨账号路由事件

    Note

    Events from multiple accounts can be routed to the same event bus of an account. The aliyunoriginalaccountid extended field of the events specifies the sources of the events. The account to which the events are routed can filter the events based on the aliyunoriginalaccountid field.

    Usage notes

    • Both the same-account event routing feature and the cross-account event routing feature allow you to route events across regions.

    • Events of the system event bus and custom event buses can be routed to only custom event buses.

    Route events to the same account

    1. Log on to the EventBridge console. In the left-side navigation pane, click Event Buses.

    2. In the top navigation bar, select a region. On the Event Buses page, click default (System Event Bus).

    3. In the left-side navigation pane, click Event Rules. On the page that appears, click Create Rule.

    4. In the Create Rule wizard, perform the following steps:

      1. In the Configure Basic Info step, configure the Name and Description parameters and click Next Step.

      2. In the Configure Event Pattern step, configure the following parameters and click Next Step.

        • Event Source Type: Select Alibaba Cloud Service Event Source.

        • Event Source: Select the Alibaba Cloud service from which events are routed.

        • Event Type: Select the type of events that you want to route.

        • Pattern Content: Enter an event pattern.

      3. In the Configure Targets step, configure the following parameters and click Create.

        • Service Type: Select EventBridge.

        • Destination Type: Select Same-account Event Bus.

        • Region: Select the region where the event bus resides.

        • Event Bus: Select the event bus to which you want to route events.

        • Event: This parameter is automatically set to Complete Event. The complete data structure is routed without transformation. The data structure is defined in the CloudEvents 1.0 specification.

        Note

        You can configure up to five event targets for an event rule.

      You can query an event on the event bus to which you route the event. For more information, see Query events.

    Route events across accounts

    Step 1: Create a RAM role

    1. Use Alibaba Cloud Account B that receives events to log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role. image

    4. On the Create Role page, select Alibaba Cloud Account in the Select Role Type section and click Next.image

    5. Configure the RAM role.

      1. Configure the RAM Role Name parameter.

      2. (Optional) Configure the Note parameter.

      3. Set the Select Trusted Alibaba Cloud Account parameter to Other Alibaba Cloud Account, enter the ID of Alibaba Cloud Account A that sends events, and then click OK.

    Step 2: Grant permissions to the RAM role

    1. Use Alibaba Cloud Account B that receives events to log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, find the RAM role that you want to manage and click Grant Permission in the Actions column.

      image

      You can also select multiple RAM roles and click Grant Permission in the lower part of the RAM role list to grant permissions to multiple RAM roles at a time.

    4. In the Grant Permission panel, grant permissions to the RAM role.

      1. Specify the authorization scope.

        • Account: The permissions are granted to the current Alibaba Cloud account.

        • ResourceGroup: The permissions are granted to a specific resource group.

          Note

          If you select ResourceGroup for the Resource Scope parameter, make sure that the cloud service supports resource groups. For more information, see Services that work with Resource Group.

      2. Specify the principal.

        The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.

      3. Select the policy.

        In the Policy section, find and select AliyunEventBridgePutEventsPolicy. Then, click Grant permissions.

        Note

        • You can attach up to five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.

        • If the system policies cannot meet your requirements, you can create a custom policy to implement fine-grained access control. This way, you can grant permissions on specific event buses to the accounts that send events. For more information, see Create custom policies.

    Step 3: Modify the trust policy

    1. Use Alibaba Cloud Account B that receives events to log on to the RAM console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click the name of the RAM role that you created.

    4. On the Trust Policy tab, click Edit Trust Policy.

      image

    5. Modify the content of the trust policy and click Save trust policy document.

      The following sample code provides an example of trust policies:

      {
    "Statement":[
        {
            "Action":"sts:AssumeRole",
            "Effect":"Allow",
            "Principal":{
                "Service":[
                    "${Account A}@eventbridge.aliyuncs.com"
                ]
            }
        }
    ],
    "Version":"1"
}

      After you modify the trust policy, EventBridge of Alibaba Cloud Account A that sends events can assume the RAM role.

    Step 4: Create an event rule

    1. Use the Alibaba Cloud Account A that sends events to log on to the EventBridge console. In the left-side navigation pane, click Event Buses.

    2. In the top navigation bar, select a region. On the Event Buses page, click default (System Event Bus).

    3. In the left-side navigation pane, click Event Rules. On the page that appears, click Create Rule.

    4. In the Create Rule wizard, perform the following steps:

      1. In the Configure Basic Info step, configure the Name and Description parameters and click Next Step.

      2. In the Configure Event Pattern step, configure the following parameters and click Next Step.

        • Event Source Type: Select Alibaba Cloud Service Event Source.

        • Event Source: Select the Alibaba Cloud service from which events are routed.

        • Event Type: Select the type of events that you want to route.

        • Pattern Content: Enter an event pattern.

      3. In the Configure Targets step, configure the following parameters and click Create.

        • Service Type: Select EventBridge.

        • Destination Type: Select Cross-account Event Bus.

        • Region: Select the region where Alibaba Cloud Account B resides.

        • Account ID: Enter the ID of Alibaba Cloud Account B.

        • Event Bus Name: Enter default.

        • Role: Enter the name of the RAM role that you created in the "Prerequisites" section of this topic.

        • Event: This parameter is automatically set to Complete Event. The complete data structure is routed without transformation. The data structure is defined in the CloudEvents 1.0 specification.

        Note

        You can configure up to five event targets for an event rule.

      You can use Alibaba Cloud Account B that receives events to query events. For more information, see Query events.