The aws:cloudwatch/eventConnection:EventConnection resource, part of the Pulumi AWS provider, stores authentication credentials and HTTP parameters for EventBridge API destinations. This guide focuses on three capabilities: authentication methods (API key, Basic, OAuth), custom HTTP parameters at invocation time, and customer-managed key encryption.
Connections store credentials that API destinations reference when invoking external APIs. The examples are intentionally small. Combine them with EventBridge rules and API destinations to build complete event-driven integrations.
Authenticate with API keys
Many webhook destinations require API key authentication, where you send a custom header with each request.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.cloudwatch.EventConnection("test", {
name: "ngrok-connection",
description: "A connection description",
authorizationType: "API_KEY",
authParameters: {
apiKey: {
key: "x-signature",
value: "1234",
},
},
});
import pulumi
import pulumi_aws as aws
test = aws.cloudwatch.EventConnection("test",
name="ngrok-connection",
description="A connection description",
authorization_type="API_KEY",
auth_parameters={
"api_key": {
"key": "x-signature",
"value": "1234",
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudwatch.NewEventConnection(ctx, "test", &cloudwatch.EventConnectionArgs{
Name: pulumi.String("ngrok-connection"),
Description: pulumi.String("A connection description"),
AuthorizationType: pulumi.String("API_KEY"),
AuthParameters: &cloudwatch.EventConnectionAuthParametersArgs{
ApiKey: &cloudwatch.EventConnectionAuthParametersApiKeyArgs{
Key: pulumi.String("x-signature"),
Value: pulumi.String("1234"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.CloudWatch.EventConnection("test", new()
{
Name = "ngrok-connection",
Description = "A connection description",
AuthorizationType = "API_KEY",
AuthParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersArgs
{
ApiKey = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersApiKeyArgs
{
Key = "x-signature",
Value = "1234",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.EventConnection;
import com.pulumi.aws.cloudwatch.EventConnectionArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersApiKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new EventConnection("test", EventConnectionArgs.builder()
.name("ngrok-connection")
.description("A connection description")
.authorizationType("API_KEY")
.authParameters(EventConnectionAuthParametersArgs.builder()
.apiKey(EventConnectionAuthParametersApiKeyArgs.builder()
.key("x-signature")
.value("1234")
.build())
.build())
.build());
}
}
resources:
test:
type: aws:cloudwatch:EventConnection
properties:
name: ngrok-connection
description: A connection description
authorizationType: API_KEY
authParameters:
apiKey:
key: x-signature
value: '1234'
The authorizationType property specifies the authentication method. For API_KEY, the authParameters.apiKey block defines the header name (key) and its value. EventBridge stores these credentials securely and injects them automatically when invoking API destinations.
Authenticate with username and password
HTTP Basic authentication sends a username and password with each request, encoded in the Authorization header.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.cloudwatch.EventConnection("test", {
name: "ngrok-connection",
description: "A connection description",
authorizationType: "BASIC",
authParameters: {
basic: {
username: "user",
password: "Pass1234!",
},
},
});
import pulumi
import pulumi_aws as aws
test = aws.cloudwatch.EventConnection("test",
name="ngrok-connection",
description="A connection description",
authorization_type="BASIC",
auth_parameters={
"basic": {
"username": "user",
"password": "Pass1234!",
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudwatch.NewEventConnection(ctx, "test", &cloudwatch.EventConnectionArgs{
Name: pulumi.String("ngrok-connection"),
Description: pulumi.String("A connection description"),
AuthorizationType: pulumi.String("BASIC"),
AuthParameters: &cloudwatch.EventConnectionAuthParametersArgs{
Basic: &cloudwatch.EventConnectionAuthParametersBasicArgs{
Username: pulumi.String("user"),
Password: pulumi.String("Pass1234!"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.CloudWatch.EventConnection("test", new()
{
Name = "ngrok-connection",
Description = "A connection description",
AuthorizationType = "BASIC",
AuthParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersArgs
{
Basic = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersBasicArgs
{
Username = "user",
Password = "Pass1234!",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.EventConnection;
import com.pulumi.aws.cloudwatch.EventConnectionArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersBasicArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new EventConnection("test", EventConnectionArgs.builder()
.name("ngrok-connection")
.description("A connection description")
.authorizationType("BASIC")
.authParameters(EventConnectionAuthParametersArgs.builder()
.basic(EventConnectionAuthParametersBasicArgs.builder()
.username("user")
.password("Pass1234!")
.build())
.build())
.build());
}
}
resources:
test:
type: aws:cloudwatch:EventConnection
properties:
name: ngrok-connection
description: A connection description
authorizationType: BASIC
authParameters:
basic:
username: user
password: Pass1234!
Setting authorizationType to BASIC switches to HTTP Basic authentication. The authParameters.basic block stores the username and password, which EventBridge encodes and sends in the Authorization header with each request.
Authenticate with OAuth client credentials
OAuth 2.0 client credentials flow exchanges a client ID and secret for access tokens, which EventBridge refreshes automatically.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.cloudwatch.EventConnection("test", {
name: "ngrok-connection",
description: "A connection description",
authorizationType: "OAUTH_CLIENT_CREDENTIALS",
authParameters: {
oauth: {
authorizationEndpoint: "https://auth.url.com/endpoint",
httpMethod: "GET",
clientParameters: {
clientId: "1234567890",
clientSecret: "Pass1234!",
},
oauthHttpParameters: {
bodies: [{
key: "body-parameter-key",
value: "body-parameter-value",
isValueSecret: false,
}],
headers: [{
key: "header-parameter-key",
value: "header-parameter-value",
isValueSecret: false,
}],
queryStrings: [{
key: "query-string-parameter-key",
value: "query-string-parameter-value",
isValueSecret: false,
}],
},
},
},
});
import pulumi
import pulumi_aws as aws
test = aws.cloudwatch.EventConnection("test",
name="ngrok-connection",
description="A connection description",
authorization_type="OAUTH_CLIENT_CREDENTIALS",
auth_parameters={
"oauth": {
"authorization_endpoint": "https://auth.url.com/endpoint",
"http_method": "GET",
"client_parameters": {
"client_id": "1234567890",
"client_secret": "Pass1234!",
},
"oauth_http_parameters": {
"bodies": [{
"key": "body-parameter-key",
"value": "body-parameter-value",
"is_value_secret": False,
}],
"headers": [{
"key": "header-parameter-key",
"value": "header-parameter-value",
"is_value_secret": False,
}],
"query_strings": [{
"key": "query-string-parameter-key",
"value": "query-string-parameter-value",
"is_value_secret": False,
}],
},
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudwatch.NewEventConnection(ctx, "test", &cloudwatch.EventConnectionArgs{
Name: pulumi.String("ngrok-connection"),
Description: pulumi.String("A connection description"),
AuthorizationType: pulumi.String("OAUTH_CLIENT_CREDENTIALS"),
AuthParameters: &cloudwatch.EventConnectionAuthParametersArgs{
Oauth: &cloudwatch.EventConnectionAuthParametersOauthArgs{
AuthorizationEndpoint: pulumi.String("https://auth.url.com/endpoint"),
HttpMethod: pulumi.String("GET"),
ClientParameters: &cloudwatch.EventConnectionAuthParametersOauthClientParametersArgs{
ClientId: pulumi.String("1234567890"),
ClientSecret: pulumi.String("Pass1234!"),
},
OauthHttpParameters: &cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersArgs{
Bodies: cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersBodyArray{
&cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersBodyArgs{
Key: pulumi.String("body-parameter-key"),
Value: pulumi.String("body-parameter-value"),
IsValueSecret: pulumi.Bool(false),
},
},
Headers: cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersHeaderArray{
&cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersHeaderArgs{
Key: pulumi.String("header-parameter-key"),
Value: pulumi.String("header-parameter-value"),
IsValueSecret: pulumi.Bool(false),
},
},
QueryStrings: cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersQueryStringArray{
&cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersQueryStringArgs{
Key: pulumi.String("query-string-parameter-key"),
Value: pulumi.String("query-string-parameter-value"),
IsValueSecret: pulumi.Bool(false),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.CloudWatch.EventConnection("test", new()
{
Name = "ngrok-connection",
Description = "A connection description",
AuthorizationType = "OAUTH_CLIENT_CREDENTIALS",
AuthParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersArgs
{
Oauth = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthArgs
{
AuthorizationEndpoint = "https://auth.url.com/endpoint",
HttpMethod = "GET",
ClientParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthClientParametersArgs
{
ClientId = "1234567890",
ClientSecret = "Pass1234!",
},
OauthHttpParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthOauthHttpParametersArgs
{
Bodies = new[]
{
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthOauthHttpParametersBodyArgs
{
Key = "body-parameter-key",
Value = "body-parameter-value",
IsValueSecret = false,
},
},
Headers = new[]
{
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthOauthHttpParametersHeaderArgs
{
Key = "header-parameter-key",
Value = "header-parameter-value",
IsValueSecret = false,
},
},
QueryStrings = new[]
{
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthOauthHttpParametersQueryStringArgs
{
Key = "query-string-parameter-key",
Value = "query-string-parameter-value",
IsValueSecret = false,
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.EventConnection;
import com.pulumi.aws.cloudwatch.EventConnectionArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersOauthArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersOauthClientParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersOauthOauthHttpParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new EventConnection("test", EventConnectionArgs.builder()
.name("ngrok-connection")
.description("A connection description")
.authorizationType("OAUTH_CLIENT_CREDENTIALS")
.authParameters(EventConnectionAuthParametersArgs.builder()
.oauth(EventConnectionAuthParametersOauthArgs.builder()
.authorizationEndpoint("https://auth.url.com/endpoint")
.httpMethod("GET")
.clientParameters(EventConnectionAuthParametersOauthClientParametersArgs.builder()
.clientId("1234567890")
.clientSecret("Pass1234!")
.build())
.oauthHttpParameters(EventConnectionAuthParametersOauthOauthHttpParametersArgs.builder()
.bodies(EventConnectionAuthParametersOauthOauthHttpParametersBodyArgs.builder()
.key("body-parameter-key")
.value("body-parameter-value")
.isValueSecret(false)
.build())
.headers(EventConnectionAuthParametersOauthOauthHttpParametersHeaderArgs.builder()
.key("header-parameter-key")
.value("header-parameter-value")
.isValueSecret(false)
.build())
.queryStrings(EventConnectionAuthParametersOauthOauthHttpParametersQueryStringArgs.builder()
.key("query-string-parameter-key")
.value("query-string-parameter-value")
.isValueSecret(false)
.build())
.build())
.build())
.build())
.build());
}
}
resources:
test:
type: aws:cloudwatch:EventConnection
properties:
name: ngrok-connection
description: A connection description
authorizationType: OAUTH_CLIENT_CREDENTIALS
authParameters:
oauth:
authorizationEndpoint: https://auth.url.com/endpoint
httpMethod: GET
clientParameters:
clientId: '1234567890'
clientSecret: Pass1234!
oauthHttpParameters:
bodies:
- key: body-parameter-key
value: body-parameter-value
isValueSecret: false
headers:
- key: header-parameter-key
value: header-parameter-value
isValueSecret: false
queryStrings:
- key: query-string-parameter-key
value: query-string-parameter-value
isValueSecret: false
For OAuth, the authParameters.oauth block defines the authorization endpoint, HTTP method, and client credentials. The oauthHttpParameters section lets you send additional headers, body parameters, or query strings during token exchange. EventBridge handles token refresh automatically.
Add custom headers and query parameters
Some APIs require additional headers, query strings, or body parameters beyond authentication.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.cloudwatch.EventConnection("test", {
name: "ngrok-connection",
description: "A connection description",
authorizationType: "BASIC",
authParameters: {
basic: {
username: "user",
password: "Pass1234!",
},
invocationHttpParameters: {
bodies: [
{
key: "body-parameter-key",
value: "body-parameter-value",
isValueSecret: false,
},
{
key: "body-parameter-key2",
value: "body-parameter-value2",
isValueSecret: true,
},
],
headers: [{
key: "header-parameter-key",
value: "header-parameter-value",
isValueSecret: false,
}],
queryStrings: [{
key: "query-string-parameter-key",
value: "query-string-parameter-value",
isValueSecret: false,
}],
},
},
});
import pulumi
import pulumi_aws as aws
test = aws.cloudwatch.EventConnection("test",
name="ngrok-connection",
description="A connection description",
authorization_type="BASIC",
auth_parameters={
"basic": {
"username": "user",
"password": "Pass1234!",
},
"invocation_http_parameters": {
"bodies": [
{
"key": "body-parameter-key",
"value": "body-parameter-value",
"is_value_secret": False,
},
{
"key": "body-parameter-key2",
"value": "body-parameter-value2",
"is_value_secret": True,
},
],
"headers": [{
"key": "header-parameter-key",
"value": "header-parameter-value",
"is_value_secret": False,
}],
"query_strings": [{
"key": "query-string-parameter-key",
"value": "query-string-parameter-value",
"is_value_secret": False,
}],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudwatch.NewEventConnection(ctx, "test", &cloudwatch.EventConnectionArgs{
Name: pulumi.String("ngrok-connection"),
Description: pulumi.String("A connection description"),
AuthorizationType: pulumi.String("BASIC"),
AuthParameters: &cloudwatch.EventConnectionAuthParametersArgs{
Basic: &cloudwatch.EventConnectionAuthParametersBasicArgs{
Username: pulumi.String("user"),
Password: pulumi.String("Pass1234!"),
},
InvocationHttpParameters: &cloudwatch.EventConnectionAuthParametersInvocationHttpParametersArgs{
Bodies: cloudwatch.EventConnectionAuthParametersInvocationHttpParametersBodyArray{
&cloudwatch.EventConnectionAuthParametersInvocationHttpParametersBodyArgs{
Key: pulumi.String("body-parameter-key"),
Value: pulumi.String("body-parameter-value"),
IsValueSecret: pulumi.Bool(false),
},
&cloudwatch.EventConnectionAuthParametersInvocationHttpParametersBodyArgs{
Key: pulumi.String("body-parameter-key2"),
Value: pulumi.String("body-parameter-value2"),
IsValueSecret: pulumi.Bool(true),
},
},
Headers: cloudwatch.EventConnectionAuthParametersInvocationHttpParametersHeaderArray{
&cloudwatch.EventConnectionAuthParametersInvocationHttpParametersHeaderArgs{
Key: pulumi.String("header-parameter-key"),
Value: pulumi.String("header-parameter-value"),
IsValueSecret: pulumi.Bool(false),
},
},
QueryStrings: cloudwatch.EventConnectionAuthParametersInvocationHttpParametersQueryStringArray{
&cloudwatch.EventConnectionAuthParametersInvocationHttpParametersQueryStringArgs{
Key: pulumi.String("query-string-parameter-key"),
Value: pulumi.String("query-string-parameter-value"),
IsValueSecret: pulumi.Bool(false),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.CloudWatch.EventConnection("test", new()
{
Name = "ngrok-connection",
Description = "A connection description",
AuthorizationType = "BASIC",
AuthParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersArgs
{
Basic = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersBasicArgs
{
Username = "user",
Password = "Pass1234!",
},
InvocationHttpParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersInvocationHttpParametersArgs
{
Bodies = new[]
{
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersInvocationHttpParametersBodyArgs
{
Key = "body-parameter-key",
Value = "body-parameter-value",
IsValueSecret = false,
},
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersInvocationHttpParametersBodyArgs
{
Key = "body-parameter-key2",
Value = "body-parameter-value2",
IsValueSecret = true,
},
},
Headers = new[]
{
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersInvocationHttpParametersHeaderArgs
{
Key = "header-parameter-key",
Value = "header-parameter-value",
IsValueSecret = false,
},
},
QueryStrings = new[]
{
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersInvocationHttpParametersQueryStringArgs
{
Key = "query-string-parameter-key",
Value = "query-string-parameter-value",
IsValueSecret = false,
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.EventConnection;
import com.pulumi.aws.cloudwatch.EventConnectionArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersBasicArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersInvocationHttpParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new EventConnection("test", EventConnectionArgs.builder()
.name("ngrok-connection")
.description("A connection description")
.authorizationType("BASIC")
.authParameters(EventConnectionAuthParametersArgs.builder()
.basic(EventConnectionAuthParametersBasicArgs.builder()
.username("user")
.password("Pass1234!")
.build())
.invocationHttpParameters(EventConnectionAuthParametersInvocationHttpParametersArgs.builder()
.bodies(
EventConnectionAuthParametersInvocationHttpParametersBodyArgs.builder()
.key("body-parameter-key")
.value("body-parameter-value")
.isValueSecret(false)
.build(),
EventConnectionAuthParametersInvocationHttpParametersBodyArgs.builder()
.key("body-parameter-key2")
.value("body-parameter-value2")
.isValueSecret(true)
.build())
.headers(EventConnectionAuthParametersInvocationHttpParametersHeaderArgs.builder()
.key("header-parameter-key")
.value("header-parameter-value")
.isValueSecret(false)
.build())
.queryStrings(EventConnectionAuthParametersInvocationHttpParametersQueryStringArgs.builder()
.key("query-string-parameter-key")
.value("query-string-parameter-value")
.isValueSecret(false)
.build())
.build())
.build())
.build());
}
}
resources:
test:
type: aws:cloudwatch:EventConnection
properties:
name: ngrok-connection
description: A connection description
authorizationType: BASIC
authParameters:
basic:
username: user
password: Pass1234!
invocationHttpParameters:
bodies:
- key: body-parameter-key
value: body-parameter-value
isValueSecret: false
- key: body-parameter-key2
value: body-parameter-value2
isValueSecret: true
headers:
- key: header-parameter-key
value: header-parameter-value
isValueSecret: false
queryStrings:
- key: query-string-parameter-key
value: query-string-parameter-value
isValueSecret: false
The invocationHttpParameters block adds custom HTTP parameters that EventBridge sends with each request. Set isValueSecret to true for sensitive values; EventBridge encrypts these separately. This extends basic authentication with invocation-time parameters.
Encrypt credentials with customer-managed keys
By default, EventBridge encrypts connection credentials with AWS-managed keys. For compliance requirements, you can specify a customer-managed KMS key.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const current = aws.getCallerIdentity({});
const currentGetPartition = aws.getPartition({});
const test = new aws.kms.Key("test", {
deletionWindowInDays: 7,
policy: JSON.stringify({
Version: "2012-10-17",
Id: "key-policy-example",
Statement: [
{
Sid: "Enable IAM User Permissions",
Effect: "Allow",
Principal: {
AWS: Promise.all([currentGetPartition, current]).then(([currentGetPartition, current]) => `arn:${currentGetPartition.partition}:iam::${current.accountId}:root`),
},
Action: "kms:*",
Resource: "*",
},
{
Sid: "Allow use of the key",
Effect: "Allow",
Principal: {
AWS: Promise.all([currentGetPartition, current]).then(([currentGetPartition, current]) => `arn:${currentGetPartition.partition}:iam::${current.accountId}:root`),
},
Action: [
"kms:DescribeKey",
"kms:Decrypt",
"kms:GenerateDataKey",
],
Resource: "*",
Condition: {
StringLike: {
"kms:ViaService": "secretsmanager.*.amazonaws.com",
"kms:EncryptionContext:SecretARN": ["arn:aws:secretsmanager:*:*:secret:events!connection/*"],
},
},
},
],
}),
tags: {
EventBridgeApiDestinations: "true",
},
});
const testEventConnection = new aws.cloudwatch.EventConnection("test", {
name: "ngrok-connection",
description: "A connection description",
authorizationType: "BASIC",
authParameters: {
basic: {
username: "user",
password: "Pass1234!",
},
},
kmsKeyIdentifier: example.id,
});
import pulumi
import json
import pulumi_aws as aws
current = aws.get_caller_identity()
current_get_partition = aws.get_partition()
test = aws.kms.Key("test",
deletion_window_in_days=7,
policy=json.dumps({
"Version": "2012-10-17",
"Id": "key-policy-example",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:{current_get_partition.partition}:iam::{current.account_id}:root",
},
"Action": "kms:*",
"Resource": "*",
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:{current_get_partition.partition}:iam::{current.account_id}:root",
},
"Action": [
"kms:DescribeKey",
"kms:Decrypt",
"kms:GenerateDataKey",
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "secretsmanager.*.amazonaws.com",
"kms:EncryptionContext:SecretARN": ["arn:aws:secretsmanager:*:*:secret:events!connection/*"],
},
},
},
],
}),
tags={
"EventBridgeApiDestinations": "true",
})
test_event_connection = aws.cloudwatch.EventConnection("test",
name="ngrok-connection",
description="A connection description",
authorization_type="BASIC",
auth_parameters={
"basic": {
"username": "user",
"password": "Pass1234!",
},
},
kms_key_identifier=example["id"])
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
if err != nil {
return err
}
currentGetPartition, err := aws.GetPartition(ctx, &aws.GetPartitionArgs{}, nil)
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2012-10-17",
"Id": "key-policy-example",
"Statement": []interface{}{
map[string]interface{}{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:%v:iam::%v:root", currentGetPartition.Partition, current.AccountId),
},
"Action": "kms:*",
"Resource": "*",
},
map[string]interface{}{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:%v:iam::%v:root", currentGetPartition.Partition, current.AccountId),
},
"Action": []string{
"kms:DescribeKey",
"kms:Decrypt",
"kms:GenerateDataKey",
},
"Resource": "*",
"Condition": map[string]interface{}{
"StringLike": map[string]interface{}{
"kms:ViaService": "secretsmanager.*.amazonaws.com",
"kms:EncryptionContext:SecretARN": []string{
"arn:aws:secretsmanager:*:*:secret:events!connection/*",
},
},
},
},
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = kms.NewKey(ctx, "test", &kms.KeyArgs{
DeletionWindowInDays: pulumi.Int(7),
Policy: pulumi.String(json0),
Tags: pulumi.StringMap{
"EventBridgeApiDestinations": pulumi.String("true"),
},
})
if err != nil {
return err
}
_, err = cloudwatch.NewEventConnection(ctx, "test", &cloudwatch.EventConnectionArgs{
Name: pulumi.String("ngrok-connection"),
Description: pulumi.String("A connection description"),
AuthorizationType: pulumi.String("BASIC"),
AuthParameters: &cloudwatch.EventConnectionAuthParametersArgs{
Basic: &cloudwatch.EventConnectionAuthParametersBasicArgs{
Username: pulumi.String("user"),
Password: pulumi.String("Pass1234!"),
},
},
KmsKeyIdentifier: pulumi.Any(example.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var current = Aws.GetCallerIdentity.Invoke();
var currentGetPartition = Aws.GetPartition.Invoke();
var test = new Aws.Kms.Key("test", new()
{
DeletionWindowInDays = 7,
Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["Version"] = "2012-10-17",
["Id"] = "key-policy-example",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Sid"] = "Enable IAM User Permissions",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = Output.Tuple(currentGetPartition, current).Apply(values =>
{
var currentGetPartition = values.Item1;
var current = values.Item2;
return $"arn:{currentGetPartition.Apply(getPartitionResult => getPartitionResult.Partition)}:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root";
}),
},
["Action"] = "kms:*",
["Resource"] = "*",
},
new Dictionary<string, object?>
{
["Sid"] = "Allow use of the key",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = Output.Tuple(currentGetPartition, current).Apply(values =>
{
var currentGetPartition = values.Item1;
var current = values.Item2;
return $"arn:{currentGetPartition.Apply(getPartitionResult => getPartitionResult.Partition)}:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root";
}),
},
["Action"] = new[]
{
"kms:DescribeKey",
"kms:Decrypt",
"kms:GenerateDataKey",
},
["Resource"] = "*",
["Condition"] = new Dictionary<string, object?>
{
["StringLike"] = new Dictionary<string, object?>
{
["kms:ViaService"] = "secretsmanager.*.amazonaws.com",
["kms:EncryptionContext:SecretARN"] = new[]
{
"arn:aws:secretsmanager:*:*:secret:events!connection/*",
},
},
},
},
},
}),
Tags =
{
{ "EventBridgeApiDestinations", "true" },
},
});
var testEventConnection = new Aws.CloudWatch.EventConnection("test", new()
{
Name = "ngrok-connection",
Description = "A connection description",
AuthorizationType = "BASIC",
AuthParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersArgs
{
Basic = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersBasicArgs
{
Username = "user",
Password = "Pass1234!",
},
},
KmsKeyIdentifier = example.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.inputs.GetPartitionArgs;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.cloudwatch.EventConnection;
import com.pulumi.aws.cloudwatch.EventConnectionArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersBasicArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getCallerIdentity(GetCallerIdentityArgs.builder()
.build());
final var currentGetPartition = AwsFunctions.getPartition(GetPartitionArgs.builder()
.build());
var test = new Key("test", KeyArgs.builder()
.deletionWindowInDays(7)
.policy(serializeJson(
jsonObject(
jsonProperty("Version", "2012-10-17"),
jsonProperty("Id", "key-policy-example"),
jsonProperty("Statement", jsonArray(
jsonObject(
jsonProperty("Sid", "Enable IAM User Permissions"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:%s:iam::%s:root", currentGetPartition.partition(),current.accountId()))
)),
jsonProperty("Action", "kms:*"),
jsonProperty("Resource", "*")
),
jsonObject(
jsonProperty("Sid", "Allow use of the key"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:%s:iam::%s:root", currentGetPartition.partition(),current.accountId()))
)),
jsonProperty("Action", jsonArray(
"kms:DescribeKey",
"kms:Decrypt",
"kms:GenerateDataKey"
)),
jsonProperty("Resource", "*"),
jsonProperty("Condition", jsonObject(
jsonProperty("StringLike", jsonObject(
jsonProperty("kms:ViaService", "secretsmanager.*.amazonaws.com"),
jsonProperty("kms:EncryptionContext:SecretARN", jsonArray("arn:aws:secretsmanager:*:*:secret:events!connection/*"))
))
))
)
))
)))
.tags(Map.of("EventBridgeApiDestinations", "true"))
.build());
var testEventConnection = new EventConnection("testEventConnection", EventConnectionArgs.builder()
.name("ngrok-connection")
.description("A connection description")
.authorizationType("BASIC")
.authParameters(EventConnectionAuthParametersArgs.builder()
.basic(EventConnectionAuthParametersBasicArgs.builder()
.username("user")
.password("Pass1234!")
.build())
.build())
.kmsKeyIdentifier(example.id())
.build());
}
}
resources:
test:
type: aws:kms:Key
properties:
deletionWindowInDays: 7
policy:
fn::toJSON:
Version: 2012-10-17
Id: key-policy-example
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:${currentGetPartition.partition}:iam::${current.accountId}:root
Action: kms:*
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: arn:${currentGetPartition.partition}:iam::${current.accountId}:root
Action:
- kms:DescribeKey
- kms:Decrypt
- kms:GenerateDataKey
Resource: '*'
Condition:
StringLike:
kms:ViaService: secretsmanager.*.amazonaws.com
kms:EncryptionContext:SecretARN:
- arn:aws:secretsmanager:*:*:secret:events!connection/*
tags:
EventBridgeApiDestinations: 'true'
testEventConnection:
type: aws:cloudwatch:EventConnection
name: test
properties:
name: ngrok-connection
description: A connection description
authorizationType: BASIC
authParameters:
basic:
username: user
password: Pass1234!
kmsKeyIdentifier: ${example.id}
variables:
current:
fn::invoke:
function: aws:getCallerIdentity
arguments: {}
currentGetPartition:
fn::invoke:
function: aws:getPartition
arguments: {}
The kmsKeyIdentifier property references a KMS key for encrypting connection credentials. The key policy must grant EventBridge permissions to use the key via the secretsmanager service, as shown in the Condition block. EventBridge creates a secret in Secrets Manager and encrypts it with your key.
Beyond these examples
These snippets focus on specific connection-level features: authentication methods (API key, Basic, OAuth), invocation parameters and secret handling, and customer-managed encryption. They’re intentionally minimal rather than full event-driven integrations.
The examples may reference pre-existing infrastructure such as KMS keys with appropriate policies (for the encryption example). They focus on configuring the connection rather than building complete EventBridge workflows.
To keep things focused, common connection patterns are omitted, including:
- Private API connectivity (invocationConnectivityParameters)
- Connection lifecycle management (updates, rotation)
- Integration with API destinations
- Regional deployment considerations
These omissions are intentional: the goal is to illustrate how each connection feature is wired, not provide drop-in integration modules. See the EventBridge Connection resource reference for all available configuration options.
Let's configure AWS EventBridge Connections
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Authentication & Authorization
What authorization types are supported for EventBridge connections?
EventBridge connections support three authorization types:
API_KEY, BASIC, and OAUTH_CLIENT_CREDENTIALS.How do I configure API key authentication?
Set
authorizationType to API_KEY and provide authParameters.apiKey with key and value fields. For example, use key: "x-signature" with your API key value.How do I configure basic authentication?
Set
authorizationType to BASIC and provide authParameters.basic with username and password fields.How do I configure OAuth client credentials authentication?
Set
authorizationType to OAUTH_CLIENT_CREDENTIALS and configure authParameters.oauth with authorizationEndpoint, httpMethod, clientParameters (containing clientId and clientSecret), and optionally oauthHttpParameters for additional headers, bodies, or query strings.Security & Encryption
How do I encrypt connection credentials with a customer-managed KMS key?
Specify
kmsKeyIdentifier with your KMS key ARN, key ID, key alias, or key alias ARN. EventBridge will use this key to encrypt the connection’s authorization parameters.What KMS permissions are required for encrypted connections?
Your KMS key policy must allow
kms:DescribeKey, kms:Decrypt, and kms:GenerateDataKey actions via the secretsmanager.*.amazonaws.com service, with the encryption context SecretARN matching arn:aws:secretsmanager:*:*:secret:events!connection/*.How do I mark connection parameters as secret?
When configuring
invocationHttpParameters or oauthHttpParameters, set isValueSecret: true on individual body, header, or query string parameters to mark their values as sensitive.Configuration & Limits
Can I rename a connection after creation?
No, the
name property is immutable. Changing it requires replacing the resource. Connection names must be 64 characters or fewer, consisting of numbers, letters, and the characters ., -, or _.What's the difference between EventBridge and CloudWatch Events?
EventBridge was formerly known as CloudWatch Events, but the functionality is identical. The services are the same.
Using a different cloud?
Explore integration guides for other cloud providers: