Skip to content

aws-events: Cannot grant putEvents to Service Principals #22080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
arcrank opened this issue Sep 16, 2022 · 8 comments · Fixed by #33729
Closed

aws-events: Cannot grant putEvents to Service Principals #22080

arcrank opened this issue Sep 16, 2022 · 8 comments · Fixed by #33729
Assignees
@scorbiere
Labels
@aws-cdk/aws-events Related to CloudWatch Events bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@arcrank
Copy link
Contributor

arcrank commented Sep 16, 2022

Describe the bug

When trying to grantPutEventsTo an AWS SP, there is a no-op, and no warnings or errors. I would expect if we added a grant to a iam.ServicePrincipal that the underlying grant/policy would be created. We can add an SP to the event bus in the console. Tracing back code I myself didn't necessary find a place where this would have failed, or I would have expected if this was not possible to give a failure message.

Expected Behavior

I would expect the template to have grant policies attached. If for some reason you weren't allowed to add SPs, I would expect a failure message and error.

Current Behavior

Nothing is logged to the terminal when synthing the template snippet is

 "Resources": {
  "bus707364D1": {
   "Type": "AWS::Events::EventBus",
   "Properties": {
    "Name": "MyCustomEventBus"
   },
   "Metadata": {
    "aws:cdk:path": "xxx/bus/Resource"
   }
  },
  "busMyArchiveF1010141": {
   "Type": "AWS::Events::Archive",
   "Properties": {
    "SourceArn": {
     "Fn::GetAtt": [
      "bus707364D1",
      "Arn"
     ]
    },
    "ArchiveName": "MyCustomEventBusArchive",
    "Description": "MyCustomerEventBus Archive",
    "EventPattern": {
     "account": [
      "264988854622"
     ]
    },
    "RetentionDays": 365
   },

Reproduction Steps

    const bus = new events.EventBus(this, 'bus', {
      eventBusName: 'MyCustomEventBus'
    });
    
    bus.archive('MyArchive', {
      archiveName: 'MyCustomEventBusArchive',
      description: 'MyCustomerEventBus Archive',
      eventPattern: {
        account: [cdk.Stack.of(this).account],
      },
      retention: cdk.Duration.days(365),
    });

    bus.grantPutEventsTo(new iam.ServicePrincipal('lambda.amazonaws.com'));

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.23.0

Framework Version

No response

Node.js Version

14

OS

MacOs/Linux

Language

Typescript

Language Version

No response

Other information

No response
@arcrank arcrank added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 16, 2022
@github-actions github-actions bot added the @aws-cdk/aws-events Related to CloudWatch Events label Sep 16, 2022
@rix0rrr rix0rrr added effort/small Small work item – less than a day of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Sep 19, 2022
@rix0rrr rix0rrr removed their assignment Sep 19, 2022
@rix0rrr
Copy link
Contributor

rix0rrr commented Sep 19, 2022

This should have worked the way you said. Investigation is required.

@pgarbe
Copy link
Contributor

pgarbe commented Nov 17, 2022
edited
Loading

It also does not work for a cross-account scenario. The grantPutEventsTo function wants to add the permission to the grantee. It doesn't fail but also nothing will be synthesized. In that case it would need to add an EventBusPolicy to the event bus.

Example:

const eventBus = new cdk.aws_events.EventBus(this, 'Bus');
eventBus.grantPutEventsTo(new cdk.aws_iam.AccountPrincipal('123456789012'));

Workaround (from StackOverflow):

const eventBus = new cdk.aws_events.EventBus(this, 'Bus');
new cdk.aws_events.CfnEventBusPolicy(this, 'XAccountPolicy', {
    statementId: 'AllowXAccountPushEvents',
    action: 'events:PutEvents',
    eventBusName: eventBus.eventBusName,
    principal: '123456789012,
});

Any recommendation @rix0rrr how this should be implemented? Not sure if grantPutEventsTo should create that policy as it would break the pattern. But it should at least fail.

@Isaac-Kleinman
Copy link

It seems like the fix for this would be for grantPutEvents() to use iam.Grant.addToPrincipalOrResource() instead of iam.Grant.addToPrincipal().

@hassaku63
Copy link
Contributor

hassaku63 commented Nov 21, 2022
edited
Loading

If what you want to do is that put EventBusPolicy to your custom EventBus, it seems currently L2 construct not support this use case. Needs to use CfnEventBusPolicy (same as this comments indicates).

(Below is my idea about how this use case could be implemented..)

According to other service that has resouce based policy such as SNS and SQS, service specific (resource based) Policy class is available and service class provides "addToResourcePolicy()" method.

e.x) addToResourcePolicy method in Topic class and TopicPolicy class

All AWS resources that support resource policies have a method called addToResourcePolicy(), which will automatically create a new resource policy if one doesn't exist yet, otherwise it will add to the existing policy.

Follow the above, like SNS and SQS, I think it would be a good idea to provide an addToResourcePolicy method for EventBus.

@hassaku63 hassaku63 mentioned this issue Nov 21, 2022
Closed
2 tasks
@trondhindenes
Copy link

Looks like this is a bug for several IGrantable types. I'm trying:

        self.ec2_events_receiver_bus = aws_events.EventBus(
            self,
            "receiverBus",
            event_bus_name="org-ec2-events",

        )
        self.ec2_events_receiver_bus.grant_all_put_events(
           aws_iam.OrganizationPrincipal(organization_id="myorg")
        )

But that also results in no changes. I'll use resource policy for now, but it would be awesome if this worked as intended.

@areller
Copy link

areller commented Mar 6, 2023
edited
Loading

It also does not work for a cross-account scenario. The grantPutEventsTo function wants to add the permission to the grantee. It doesn't fail but also nothing will be synthesized. In that case it would need to add an EventBusPolicy to the event bus.

Example:

const eventBus = new cdk.aws_events.EventBus(this, 'Bus');
eventBus.grantPutEventsTo(new cdk.aws_iam.AccountPrincipal('123456789012'));

Workaround (from StackOverflow):

const eventBus = new cdk.aws_events.EventBus(this, 'Bus');
new cdk.aws_events.CfnEventBusPolicy(this, 'XAccountPolicy', {
    statementId: 'AllowXAccountPushEvents',
    action: 'events:PutEvents',
    eventBusName: eventBus.eventBusName,
    principal: '123456789012,
});

Any recommendation @rix0rrr how this should be implemented? Not sure if grantPutEventsTo should create that policy as it would break the pattern. But it should at least fail.

is there a workaround like this that works with service principals? @pgarbe

Edit:

This

const policyStatementId = `...`;
const policyStatement = new PolicyStatement({
  sid: policyStatementId,
  effect: Effect.ALLOW,
  actions: ['events:PutEvents'],
  resources: [eventsBus.eventBusArn],
  principals: [new ServicePrincipal(`...`)],
});

new CfnEventBusPolicy(this, policyStatementId, {
  statementId: policyStatementId,
  statement: policyStatement.toStatementJson(),
  eventBusName: `...`,
});

worked for me

@scorbiere scorbiere self-assigned this Mar 10, 2025
scorbiere added a commit to scorbiere/aws-cdk that referenced this issue Mar 10, 2025
@scorbiere
test(events): add failing test for EventBus.grantPutEventsTo with ser…
bf31013 
…vice principals (issue aws#22080)
scorbiere added a commit to scorbiere/aws-cdk that referenced this issue Mar 10, 2025
@scorbiere
fix(events): EventBus.grantPutEventsTo now correctly handles service …
2c654ae 
…principals (fixes aws#22080)
scorbiere added a commit to scorbiere/aws-cdk that referenced this issue Mar 10, 2025
@scorbiere
fix(events): EventBus.grantPutEventsTo now correctly handles service …
50bd792 
…principals (fixes aws#22080)
@scorbiere scorbiere mentioned this issue Mar 10, 2025
Merged
1 task
This was referenced Mar 13, 2025
Closed
Closed
Closed
Closed
@mergify mergify bot closed this as completed in #33729 Mar 21, 2025
@mergify mergify bot closed this as completed in 38d82c4 Mar 21, 2025
@github-actions GitHub Actions
Copy link
Contributor

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link
Contributor

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 21, 2025
shikha372 pushed a commit to shikha372/aws-cdk that referenced this issue Apr 4, 2025
@scorbiere @shikha372
fix(events): now EventBus.grantPutEventsTo correctly handles servic…
1aec756 
…e principals (under feature flag) (aws#33729)

### Issue aws#22080

Closes aws#22080.

### Reason for this change

When trying to grant PutEvents permissions to an AWS Service Principal using `grantPutEventsTo`, the method performed a no-op without any warnings or errors. This prevented users from properly granting permissions to service principals, even though this is a valid use case that can be done through the AWS Console. The change implements the correct behavior by creating an EventBusPolicy when dealing with service principals.

### Description of changes

- Added special handling for service principals in `EventBus.grantPutEventsTo` method
- When granting permissions to a service principal, creates an EventBusPolicy instead of attempting to modify IAM policies
- Returns `iam.Grant.drop()` for service principals to indicate permissions are handled via EventBusPolicy
- Added test cases to verify both service principal and IAM principal scenarios

### Describe any new or updated permissions being added

The change introduces the creation of EventBusPolicy resources with `events:PutEvents` permission when granting access to service principals. This is not a new permission, but rather a different way of granting the same permission through resource-based policies instead of identity-based policies.


### Description of how you validated changes

Added new test cases that verify:
- EventBusPolicy is correctly created when granting permissions to service principals
- IAM policies are correctly created when granting permissions to IAM roles/users

### Checklist
- [X] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@scorbiere scorbiere

Labels
@aws-cdk/aws-events Related to CloudWatch Events bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
8 participants
@rix0rrr @pgarbe @Isaac-Kleinman @trondhindenes @hassaku63 @scorbiere @areller @arcrank