Role cannot be assumed by events.amazonaws.com

Question

I am attempting to put a cloudwatch event rule using code:

await cloudwatchevents.putRule({
  Name: 'xxx-ec2-start',
  EventPattern: '{"source":["aws.ec2"],"detail-type":["EC2 Instance State-change Notification"],"detail":{"state":["running"]}}',
  State: 'ENABLED',
  RoleArn: `arn:aws:iam::${account.Id}:role/skynet-cloudwatch-eventbus`,
}).promise()

However, I am getting:

(node:29939) UnhandledPromiseRejectionWarning: ValidationException: Provided role 'arn:aws:iam::00000000000:role/xxx-cloudwatch-eventbus' cannot be assumed by principal 'events.amazonaws.com'.

The role already has the assume policy doc to allow events.amazonaws.com. Why does it still fail?

Sithija Piyuman Thewa Hettige Sithija Piyuman Thewa Hettige · Accepted Answer · 2020-06-18T12:08:29

The reason you are getting this error is "events.amazonaws.com" is not listed as a Trusted Entity for role theRole.(in your case skynet-cloudwatch-eventbus)

One way to fix this is by going to https://console.aws.amazon.com/iam/home?region=us-east-1#roles/theRole (adapt this link to your region + real role name) > Trust Relationships tab > Edit Trust Relationships button > paste in "events.amazonaws.com" under services as in the example given below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "lambda.amazonaws.com",
          "apigateway.amazonaws.com",
          "events.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]

Role cannot be assumed by events.amazonaws.com

2 Answers