Why does my EventBridge rule fail to invoke my API destination target?

3 minute read

I want to successfully invoke my EventBridge API destination target

Short description

Amazon EventBridge API destinations use API calls to route events between AWS services, integrated software as a service (SaaS) applications, and your applications outside AWS. However, sometimes API destinations fail to work as expected. 


Note: To identify any invocation failure, you must first set up a dead-letter queue (DLQ). The DLQ message includes the ERROR_CODE and ERROR_MESSAGE attributes that can help you understand why the target invocation failed.

Here are some of the common reasons for failed invocation, along with the steps to resolve the issues:

The IAM role doesn't have the correct permissions

Make sure that the AWS Identity and Access Management (IAM) role associated with the API destination target has the events:InvokeApiDestination permissions policy. For more information, see Using identity-based policies (IAM policies) for Amazon EventBridge.

The API destination point is misconfigured

  • EventBridge requests to an API destination endpoint must have a maximum client execution timeout of five seconds. If the target endpoint takes longer than five seconds to respond, EventBridge times out the request. EventBridge retries timed-out requests up to the maximums that are configured on your retry policy. By default, the maximums are 24 hours and 185 times. After the maximum number of retries, events are sent to your dead-letter queue, if you have one. Otherwise, EventBridge drops the events.
  • Make sure that the API destination endpoint doesn't block traffic from the Amazon EventBridge service. Verify that it uses a valid Secure Socket Layer (SSL) certificate.

The API destination displays inactive status

You might notice that the API destination status changes to the Inactive state and the connection authorization state changes from an AUTHORIZED to a DEAUTHORIZED state.

While using Connections with the OAuth authorization type, OAuth tokens are refreshed only when your authorization endpoint returns a 401 or 407 response. If your authorization endpoint sends any other response code (for example, a 403 response), EventBridge changes the connection state to a DEAUTHORIZED state.

Check your authorization endpoint logs to identify the reason for failure.

You are using a private API destination endpoint

  • Note that API destination doesn't support private endpoints. If you use a private endpoint, the API destination target fails.
  • Work around the issue by invoking an AWS Lambda function, instead. The function is attached to the VPC and can make calls to the private endpoint.

Related information

How can I use a dead-letter queue to troubleshoot FailedInvocations for EventBridge rules?

AWS OFFICIALUpdated 8 months ago