- Newest
- Most votes
- Most comments
When working with EventBridge rules and roles via the AWS CLI, there are some important distinctions to understand.
The behavior you're experiencing is related to how EventBridge uses IAM roles for different purposes:
-
When you use
put-rulewith the--role-arnparameter, you're setting the execution role that EventBridge will use to invoke certain targets. This role is stored and can be retrieved withdescribe-rule, but it may not be displayed prominently in the console UI. -
Different EventBridge targets have different permission requirements:
- Some targets like Amazon SQS, SNS, Lambda, CloudWatch Logs, and EventBridge bus targets don't use roles at all - they use resource policies instead.
- Other targets like API destinations, Kinesis streams, Systems Manager run commands, Step Functions, and Amazon ECS tasks require IAM roles.
- For scheduled tasks (like your cron expression example), the role needs specific permissions based on the target service. For example, if you're targeting ECS, the role would need
ecs:RunTaskpermissions.
When creating a rule via CLI, you need to:
- Create the appropriate IAM role with the correct trust policy allowing
events.amazonaws.comto assume it - Attach policies to that role granting permissions to invoke your specific target
- Use
put-rulewith the--role-arnparameter - Configure the target separately using
put-targets
The console may handle some of these steps automatically or display the role information differently than the CLI returns it. This could explain why you see a discrepancy between the CLI output and the console display.
For your specific case with a scheduled rule, setting the role in the console worked because it properly configured all the necessary permissions for your specific target type.
Sources
IAM roles for sending events to targets in Amazon EventBridge - Amazon EventBridge
EventBridge examples using SDK for Ruby - AWS SDK Code Examples
Schedule Pipeline Runs - Amazon SageMaker AI
Setting up Amazon EventBridge Scheduler - EventBridge Scheduler
Yeah, the CLI and the console handle this a bit differently. The role you set with put-rule isn't always the same one the console shows. In most setups, the role that actually gets used lives on the target, not on the rule itself.
aws events list-targets-by-rule --rule <rule_name>
You should see the RoleArn there - that's the one EventBridge uses when it runs the target (Lambda, Step Functions, and so on).
When you edit the rule in the console and add the role there, it's really updating the target configuration. That's why things start working even though the describe-rule doesn't change.
Here are a couple of docs that go into more detail:
So nothing's broken - it's just a quirk of how EventBridge shows roles in the CLI vs. the console.
Hello.
Can you share the EventBridge rule configuration before you set up the IAM role?
Use the below command to share all your settings without any queries.
aws events describe-rule --name "$rule_name" --output json
Also, if the IAM role appears to be set in the AWS CLI but not in the Management Console, it may be an issue on the AWS side.
In this case, it may be quicker to resolve the issue by opening a case with AWS Support under "Account and billing."
"Account and billing" inquiries are free of charge.
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 7 months ago
