- Newest
- Most votes
- Most comments
Hello, If the resource policy works fine without the condition block but denies access on adding the condition block, thats most likely will be due to an error in the arn format / incorrect values for region, account-id, rulename. Re-validate the arn format and values to ensure there are no typo/errors.
Alternatively, In the condition block, try using the ArnLike instead of ArnEquals to check if that works?
Also, have you checked if the resource policy doesnt have any other statement which could result in deny access? Lastly, you would have to enable AWS CloudTrail logs for both Eventbridge and API Gateway and review the logs to find any additional error messages that could be denying the operation.
Have you tried removing the condition block from the IAM resource policy to validate if that allows execution to run through? This way, atleast you could ensure that there are no other issues with permissions. Thereafter, you add a condition block to further restrict the access to an eventbridge rule based on specific conditions
I removed the condition block and after it worked. I refer to the resource policy from this document: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html#eb-api-gateway-permissions so i dont know why Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:events:region:account-id:rule/rule-name" not work
Relevant content
- asked 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
I try using the ArnLike instead of ArnEquals but not work, this is resource policy in API GW, i dont think it wrong { "Effect": "Allow", "Principal": "", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:ap-southeast-1:83314353658:mdfkl1e0p1/", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:events:ap-southeast-1:83314353658:rule/eb-event/eb-rule" } } }