Why is the EventBridge rule that was created using AWS CLI or AWS CloudFormation failing to invoke its target?

Short description

Targets need AWS Identity and Access Management (AWS IAM) or resource-based policies to grant permissions to an Amazon EventBridge rule to access or invoke the target.

Review these best practices when you create or update an EventBridge rule using AWS CLI, API, or AWS CloudFormation:

• When you create or modify an EventBridge rule using the EventBridge console, EventBridge automatically adds the appropriate permissions to the target's policy.
• When you create or update an EventBridge rule using the AWS CLI, SDK, or AWS CloudFormation, you must manually apply the permission in target policies.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you use the most recent AWS CLI version.

EventBridge uses two permission models to manage the rule's access to target resources: resource-based policies and identity-based policies. For more information, see Managing access to resources.

Review the EventBridge rule metrics to confirm the invocation failures

Complete the following steps:

1. Open the Amazon EventBridge console.
2. From the navigation pane on the left, under Buses, select Rules.
3. Click on the rule name.
4. Click on the Monitoring tab under the rule details.
5. Review the FailedInvocations metrics by selecting the appropriate time in the dashboard. FailedInvocations represent a permanent failure and might be the result of incorrect permissions or a misconfigured target. For more information see EventBridge metrics.

Confirm that the EventBridge rule has the necessary permissions to invoke its target

Use the following links to confirm that the EventBridge rule has the required permissions for the configured target.

Resource-based policies

The following targets use a resource-based policy:

• AWS Lambda
• API Gateway
• Amazon Simple Notification Service (Amazon SNS)
• Amazon Simple Queue Service (Amazon SQS)
• Amazon CloudWatch log groups

For information on creating a rule for CloudWatch logs as target, see How do I add a CloudWatch log group to use as a target for an EventBridge rule?

Identity-based policies

These targets need the proper IAM policy permissions. For more information, see Permissions required for EventBridge to access targets using IAM roles.
Note: For information on adding IAM policies, see Adding and removing IAM identity permissions.

See the following policies:

• Amazon API destination

• Systems Manager

• Step Functions state machine

• ECS task

• Amazon Elastic Compute Cloud (Amazon EC2)

• Kinesis Streams

• Amazon SageMaker Pipeline

  Note: For more information on creating a rule for SageMaker Pipeline as a target, see Create an EventBridge rule using the AWS CLI.

Policies for cross-account, cross-Region, and event bus targets

If target is a cross-account, cross-Region, or another event bus, then see permissions for Amazon EventBridge event buses for resource-based policies. For information on configuring cross-account or cross-region rules, see A step-by-step guide to cross-account and cross-region events with EventBridge.

API Gateway target policies

• API Gateway targets can use either resource or IAM roles.

Add an Amazon SQS dead-letter queue to the target

If the EventBridge rule's target reports a failed invocation after you added the required policy, then use Amazon SQS dead-letter queue (DLQ) as a target to store the event's metadata. Use the stored data to analyze why the Eventbridge rule failed to invoke and deliver the event to the configured target. For more information on how to validate targets, see How can I troubleshoot issues with Amazon EventBridge rules?

Related information

Why wasn't my Lambda function triggered by my EventBridge rule?

Troubleshooting Amazon EventBridge