Why does my EventBridge rule fail to invoke my API destination target?

3 minute read

I want to successfully invoke my EventBridge API destination target

Short description

Amazon EventBridge API destinations use API calls to route events between AWS services, integrated software as a service (SaaS) applications, and your applications outside AWS. However, sometimes API destinations fail to work as expected.

Resolution

Note: To identify any invocation failure, you must first set up a dead-letter queue (DLQ). The DLQ message includes the ERROR_CODE and ERROR_MESSAGE attributes that can help you understand why the target invocation failed.

Here are some of the common reasons for failed invocation, along with the steps to resolve the issues:

The IAM role doesn't have the correct permissions

Make sure that the AWS Identity and Access Management (IAM) role associated with the API destination target has the events:InvokeApiDestination permissions policy. For more information, see Using identity-based policies (IAM policies) for Amazon EventBridge.

The API destination point is misconfigured

EventBridge requests to an API destination endpoint must have a maximum client execution timeout of five seconds. If the target endpoint takes longer than five seconds to respond, EventBridge times out the request. EventBridge retries timed-out requests up to the maximums that are configured on your retry policy. By default, the maximums are 24 hours and 185 times. After the maximum number of retries, events are sent to your dead-letter queue, if you have one. Otherwise, EventBridge drops the events.
Make sure that the API destination endpoint doesn't block traffic from the Amazon EventBridge service. Verify that it uses a valid Secure Socket Layer (SSL) certificate.

The API destination displays inactive status

You might notice that the API destination status changes to the Inactive state and the connection authorization state changes from an AUTHORIZED to a DEAUTHORIZED state.

While using Connections with the OAuth authorization type, OAuth tokens are refreshed only when your authorization endpoint returns a 401 or 407 response. If your authorization endpoint sends any other response code (for example, a 403 response), EventBridge changes the connection state to a DEAUTHORIZED state.

Check your authorization endpoint logs to identify the reason for failure.

You are using a private API destination endpoint

Note that API destination doesn't support private endpoints. If you use a private endpoint, the API destination target fails.
Work around the issue by invoking an AWS Lambda function, instead. The function is attached to the VPC and can make calls to the private endpoint.

Related information

How can I use a dead-letter queue to troubleshoot FailedInvocations for EventBridge rules?

Topics

Serverless Application Integration

Relevant content

EventBridge API Destination Connection Issue
Paul
asked a year ago
EventBridge failing to invoke API Destination with NO_PERMISSIONS error
AWS-User-9025436
asked 2 years ago
EventBridge failing to invoke API Destination with SDK_CLIENT_ERROR suddenly
rePost-User-8888888
asked a year ago
Eventbridge to Slack API Destination
AWS-User-3610377
asked 2 years ago
EventBridge API destination not working
Accepted Answer
uhagemann
asked a year ago
Why does my EventBridge rule for IAM events only trigger in the us-east-1 Region?
AWS OFFICIALUpdated 9 months ago
Why is the EventBridge rule that was created using AWS CLI or AWS CloudFormation failing to invoke its target?
AWS OFFICIALUpdated 8 months ago
How do I use AWS Batch as a target for my EventBridge rule?
AWS OFFICIALUpdated 2 years ago
Why wasn't my Lambda function triggered by my EventBridge rule?
AWS OFFICIALUpdated 8 months ago
AWS B2B Data Interchange now publishes events to Amazon EventBridge
EXPERT
AWS
published a month ago