Setting up Amazon EventBridge Scheduler
Before you can use EventBridge Scheduler, you must complete the following steps.
Topics
Sign up for AWS
If you do not have an AWS account, complete the following steps to create one.
To sign up for an AWS account
Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.
When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform tasks that require root user access.
Create an IAM user
To create an administrator user, choose one of the following options.
Choose one way to manage your administrator | To | By | You can also |
---|---|---|---|
In IAM Identity Center (Recommended) |
Use short-term credentials to access AWS. This aligns with the security best practices. For information about best practices, see Security best practices in IAM in the IAM User Guide. |
Following the instructions in Getting started in the AWS IAM Identity Center User Guide. | Configure programmatic access by Configuring the AWS CLI to use AWS IAM Identity Center in the AWS Command Line Interface User Guide. |
In IAM (Not recommended) |
Use long-term credentials to access AWS. | Following the instructions in Create an IAM user for emergency access in the IAM User Guide. | Configure programmatic access by Manage access keys for IAM users in the IAM User Guide. |
Use managed policies
In the previous step, you set up an IAM user with the credentials to access your AWS resources. In most cases, to use EventBridge Scheduler securely, we recommend that you create separate users, groups, or roles with only the necessary permissions to use EventBridge Scheduler. EventBridge Scheduler supports the following managed policies for common use cases.
-
AmazonEventBridgeSchedulerFullAccess – Grants full access to EventBridge Scheduler using the console and the API.
-
AmazonEventBridgeSchedulerReadOnlyAccess – Grants read-only access to EventBridge Scheduler.
You can attach these managed policies to your IAM principals the same way you
attached the AdministratorAccess
policy in the previous step. For more
information about managing access to EventBridge Scheduler using identity-based IAM policies, see
Using identity-based policies in EventBridge Scheduler.
Set up the execution role
An execution role is an IAM role that EventBridge Scheduler assumes in order to interact with other AWS services on your behalf. You attach permission policies to this role to grant EventBridge Scheduler access to invoke targets.
You can also create a new execution role when you use the console to create a new schedule. If you use the console, EventBridge Scheduler creates a role on your behalf with permissions based on the target you choose. When EventBridge Scheduler creates a role for you, the role's trust policy includes condition keys that limit which principals can assume the role on your behalf. This guards against the potential confused deputy security issue.
The following steps describe how to create a new execution role and how to grant EventBridge Scheduler access to invoke a target. This topic describes permissions for popular templated targets. For information on adding permissions for other targets, see Using templated targets in EventBridge Scheduler.
To create an execution role using the AWS CLI
-
Copy the following assume role JSON policy and save it locally as
Scheduler-Execution-Role.json
. This trust policy allows EventBridge Scheduler to assume the role on your behalf.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "scheduler.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Important
T set up an execution role in a production environment, we recommend implementing additional safeguards for preventing confused deputy issues. For more information and an example policy, see Confused deputy prevention in EventBridge Scheduler.
-
From the AWS Command Line Interface (AWS CLI), enter the following command to create a new role. Replace
with the name you want to give this role.SchedulerExecutionRole
$
aws iam create-role --role-name
SchedulerExecutionRole
--assume-role-policy-document file://Scheduler-Execution-Role.jsonIf successful, you'll see the following output:
{ "Role": { "Path": "/", "RoleName": "Scheduler-Execution-Role", "RoleId": "BR1L2DZK3K4CTL5ZF9EIL", "Arn": "arn:aws:iam::123456789012:role/SchedulerExecutionRole", "CreateDate": "2022-03-10T18:45:01+00:00", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "scheduler.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } } }
-
To create a new policy that allows EventBridge Scheduler to invoke a target, choose one of the following common targets. Copy the JSON permission policy and save it locally as a
.json
file. -
Run the following command to create the new permission policy. Replace
with the name you want to give this policy.PolicyName
$
aws iam create-policy --policy-name
PolicyName
--policy-document file://PermissionPolicy.jsonIf successful, you'll see the following output. Note the policy ARN. You use this ARN in the next step to attach the policy to our execution role.
{ "Policy": { "PolicyName": "PolicyName", "CreateDate": "2022-03-015T19:31:18.620Z", "AttachmentCount": 0, "IsAttachable": true, "PolicyId": "ZXR6A36LTYANPAI7NJ5UV", "DefaultVersionId": "v1", "Path": "/", "Arn": "arn:aws:iam::123456789012:policy/PolicyName", "UpdateDate": "2022-03-015T19:31:18.620Z" } }
-
Run the following command to attach the policy to your execution role. Replace
with the ARN of the policy you created in the previous step. Replaceyour-policy-arn
with the name of your execution role.SchedulerExecutionRole
$
aws iam attach-role-policy --policy-arn
your-policy-arn
--role-nameSchedulerExecutionRole
The
attach-role-policy
operation doesn't return a response on the command line.
Set up a target
Before you create an EventBridge Scheduler schedule, you need at least one target for your schedule to invoke. You can use an existing AWS resource, or create a new one. The following steps show how to create a new standard Amazon SQS queue with AWS CloudFormation.
To create a new Amazon SQS queue
-
Copy the following JSON AWS CloudFormation template and save it locally as
SchedulerTargetSQS.json
.{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "MyQueue": { "Type": "AWS::SQS::Queue", "Properties": { "QueueName": "
MyQueue
" } } }, "Outputs": { "QueueName": { "Description": "The name of the queue", "Value": { "Fn::GetAtt": [ "MyQueue", "QueueName" ] } }, "QueueURL": { "Description": "The URL of the queue", "Value": { "Ref": "MyQueue" } }, "QueueARN": { "Description": "The ARN of the queue", "Value": { "Fn::GetAtt": [ "MyQueue", "Arn" ] } } } } -
From the AWS CLI, run the following command to create an AWS CloudFormation stack from the
Scheduler-Target-SQS.json
template.$
aws cloudformation create-stack --stack-name
Scheduler-Target-SQS
--template-body file://Scheduler-Target-SQS.jsonIf successful, you'll see the following output:
{ "StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/Scheduler-Target-SQS/1d2af345-a121-12eb-abc1-012e34567890" }
-
Run the following command to view summary information for your AWS CloudFormation stack. This information includes the status of the stack and the outputs specified in the template.
$
aws cloudformation describe-stacks --stack-name
Scheduler-Target-SQS
If successful, the command creates the Amazon SQS queue and returns the following output:
{ "Stacks": [ { "StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/Scheduler-Target-SQS/1d2af345-a121-12eb-abc1-012e34567890", "StackName": "Scheduler-Target-SQS", "CreationTime": "2022-03-17T16:21:29.442000+00:00", "RollbackConfiguration": {}, "StackStatus": "CREATE_COMPLETE", "DisableRollback": false, "NotificationARNs": [], "Outputs": [ { "OutputKey": "QueueName", "OutputValue": "MyQueue", "Description": "The name of the queue" }, { "OutputKey": "QueueARN", "OutputValue": "arn:aws:sqs:us-west-2:123456789012:MyQueue", "Description": "The ARN of the queue" }, { "OutputKey": "QueueURL", "OutputValue": "https://sqs.us-west-2.amazonaws.com/123456789012/MyQueue", "Description": "The URL of the queue" } ], "Tags": [], "EnableTerminationProtection": false, "DriftInformation": { "StackDriftStatus": "NOT_CHECKED" } } ] }
Later in this guide, you'll use the value for
QueueARN
to set up the queue as a target for EventBridge Scheduler.
What's next?
After you've completed the set up step, use the Getting started guide to create your first EventBridge Scheduler scheduler and invoke a target.