根据此文档,我尝试:
ebMailPolicy:
Type: AWS::Events::EventBusPolicy
Properties:
EventBusName: !Ref ebMail
StatementId: AllowForOrg
Statement:
Effect: Allow
Action: events:PutEvents
Condition:
StringEquals:
"aws:PrincipalOrgID": !Ref OrgId
Principal: "*"
错误是:
The relative-id "event-bus/bus_name" is invalid for ARN "arn:aws:events:eu-central-1:acc_id:event-bus/bus_name"
我做错了什么?
医生错了。正确版本:
ebMailPolicy:
Type: AWS::Events::EventBusPolicy
Properties:
EventBusName: !Ref ebMail
StatementId: CrossAccSendEvents
Action: events:PutEvents
Principal: "*"
Condition:
Type: StringEquals
Key: aws:PrincipalOrgID
Value: !Ref OrgId
AWS 文档没有明确说明,但这就是我们正在做的工作
EventBusPolicy:
Type: AWS::Events::EventBusPolicy
DependsOn: CustomEventBridgeBus
Properties:
StatementId: "AllowSameAWSAccount"
EventBusName: !Ref CustomEventBridgeBus
Statement:
Effect: "Allow"
Principal:
AWS: !ImportValue IntanceRoleArn
Action: "events:PutEvents"
Resource: !GetAtt CustomEventBridgeBus.Arn
你说得对! AWS 文档不清楚。
要允许限制某个组织但允许该组织中的所有帐户,您应该执行以下操作:
MyEventBusPolicy:
Type: AWS::Events::EventBusPolicy
Properties:
Action: events:PutEvents
StatementId: CrossAccountAndOrgPolicy
EventBusName: !Ref MySourceEventBusName
Principal: "*" # Every account in that organization
Condition:
Type: StringEquals
Key: aws:PrincipalOrgID
Value: !Ref MyOrgId
要允许限制组织/帐户,您应该执行以下操作:
MyEventBusPolicy:
Type: AWS::Events::EventBusPolicy
Properties:
Action: events:PutEvents
StatementId: CrossAccountAndOrgPolicy
EventBusName: !Ref MySourceEventBusName
Principal: !Ref MySourceAccountID
Condition:
Type: StringEquals
Key: aws:PrincipalOrgID
Value: !Ref MyOrgId
并允许独立于组织的跨帐户,您应该这样做:
MyEventBusPolicy:
Type: AWS::Events::EventBusPolicy
Properties:
Action: events:PutEvents
StatementId: CrossAccountAndOrgPolicy
EventBusName: !Ref MySourceEventBusName
Principal: !Ref MySourceAccountID
希望能帮助其他人。我也花了几个小时来完成这项工作! 😉