Skip to content

(aws_events_targets): ( for SNS target there is no option to mention execution role) #33827

New issue
New issue
Open
#33976
Open
(aws_events_targets): ( for SNS target there is no option to mention execution role)#33827
#33976
Labels
@aws-cdk/aws-events-targetseffort/mediumMedium work item – several days of effortfeature-requestA feature should be added or improved.p2
@bedwalsanjay

Description

@bedwalsanjay
bedwalsanjay
opened on Mar 19, 2025

Describe the feature

If I work from AWS console , In case of SNS as a target , EventBridge service allows me to mention the "execution role" , but the same is not allowed via python CDK .

Image

I researched a lot but could not find any keyword argument which can allow me to mention execution role inside aws_events_targets module ( in case when target is SNS )
In aws doc also no option is mentioned to include execution role

AWS Doc link : https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_events_targets/SnsTopic.html

Image

Well , if there is way to mention it vis python cdk then please let me know else I want a feature as given below

Add the SNS topic as the target for the rule

event_rule.add_target(aws_events_targets.SnsTopic(topic=sns_topic), role = event_rule)

Use Case

I need this option because I have created an EventBridge rule to send a message to an SNS topic. This SNS topic uses a KMS key for encryption. The EventBridge rule is failing with the following error:

User: events.amazonaws.com is not authorized to perform: kms:GenerateDataKey on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException;

Now, I do know the potential solution is to provide the EventBridge service with the necessary permissions on this KMS key.
However, I don't want to do that. Instead, I already have an IAM role with similar permissions, and I want EventBridge to assume that IAM role to perform the KMS-related operations.

Proposed Solution

Please add a keyword argument as "role" in aws_events_targets so that we can provide execution role which further eventbridge can assume.

event_rule.add_target(aws_events_targets.SnsTopic(topic=sns_topic), role = event_rule)

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.1004.0

Environment details (OS name and version, etc.)

NAME="Red Hat Enterprise Linux" VERSION="9.5 (Plow)" ID="rhel" ID_LIKE="fedora" VERSION_ID="9.5" PLATFORM_ID="platform:el9"

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-events-targetseffort/mediumMedium work item – several days of effortfeature-requestA feature should be added or improved.p2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions