The aws:cloudwatch/eventConnection:EventConnection resource, part of the Pulumi AWS provider, stores authentication credentials and request parameters for EventBridge API destinations. This guide focuses on three capabilities: authentication methods (API key, Basic, OAuth), custom request parameters, and private API connectivity with encryption.
Connections don’t send events themselves; they’re referenced by EventBridge API destinations that route events to HTTP endpoints. The examples are intentionally small. Combine them with EventBridge rules, targets, and API destinations to build complete event-driven workflows.
Authenticate with API keys for webhook endpoints
Many webhook providers require API key authentication passed as custom headers. EventBridge connections store these credentials securely and inject them into outbound requests.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.cloudwatch.EventConnection("test", {
name: "ngrok-connection",
description: "A connection description",
authorizationType: "API_KEY",
authParameters: {
apiKey: {
key: "x-signature",
value: "1234",
},
},
});
import pulumi
import pulumi_aws as aws
test = aws.cloudwatch.EventConnection("test",
name="ngrok-connection",
description="A connection description",
authorization_type="API_KEY",
auth_parameters={
"api_key": {
"key": "x-signature",
"value": "1234",
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudwatch.NewEventConnection(ctx, "test", &cloudwatch.EventConnectionArgs{
Name: pulumi.String("ngrok-connection"),
Description: pulumi.String("A connection description"),
AuthorizationType: pulumi.String("API_KEY"),
AuthParameters: &cloudwatch.EventConnectionAuthParametersArgs{
ApiKey: &cloudwatch.EventConnectionAuthParametersApiKeyArgs{
Key: pulumi.String("x-signature"),
Value: pulumi.String("1234"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.CloudWatch.EventConnection("test", new()
{
Name = "ngrok-connection",
Description = "A connection description",
AuthorizationType = "API_KEY",
AuthParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersArgs
{
ApiKey = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersApiKeyArgs
{
Key = "x-signature",
Value = "1234",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.EventConnection;
import com.pulumi.aws.cloudwatch.EventConnectionArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersApiKeyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new EventConnection("test", EventConnectionArgs.builder()
.name("ngrok-connection")
.description("A connection description")
.authorizationType("API_KEY")
.authParameters(EventConnectionAuthParametersArgs.builder()
.apiKey(EventConnectionAuthParametersApiKeyArgs.builder()
.key("x-signature")
.value("1234")
.build())
.build())
.build());
}
}
resources:
test:
type: aws:cloudwatch:EventConnection
properties:
name: ngrok-connection
description: A connection description
authorizationType: API_KEY
authParameters:
apiKey:
key: x-signature
value: '1234'
The authorizationType property specifies API_KEY authentication. Inside authParameters.apiKey, the key property names the header (e.g., “x-signature”), and value provides the credential. EventBridge encrypts the value and adds the header to every request sent through API destinations that reference this connection.
Authenticate with username and password
HTTP Basic authentication remains common for internal APIs and legacy systems. Connections handle the Base64 encoding and Authorization header construction automatically.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.cloudwatch.EventConnection("test", {
name: "ngrok-connection",
description: "A connection description",
authorizationType: "BASIC",
authParameters: {
basic: {
username: "user",
password: "Pass1234!",
},
},
});
import pulumi
import pulumi_aws as aws
test = aws.cloudwatch.EventConnection("test",
name="ngrok-connection",
description="A connection description",
authorization_type="BASIC",
auth_parameters={
"basic": {
"username": "user",
"password": "Pass1234!",
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudwatch.NewEventConnection(ctx, "test", &cloudwatch.EventConnectionArgs{
Name: pulumi.String("ngrok-connection"),
Description: pulumi.String("A connection description"),
AuthorizationType: pulumi.String("BASIC"),
AuthParameters: &cloudwatch.EventConnectionAuthParametersArgs{
Basic: &cloudwatch.EventConnectionAuthParametersBasicArgs{
Username: pulumi.String("user"),
Password: pulumi.String("Pass1234!"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.CloudWatch.EventConnection("test", new()
{
Name = "ngrok-connection",
Description = "A connection description",
AuthorizationType = "BASIC",
AuthParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersArgs
{
Basic = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersBasicArgs
{
Username = "user",
Password = "Pass1234!",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.EventConnection;
import com.pulumi.aws.cloudwatch.EventConnectionArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersBasicArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new EventConnection("test", EventConnectionArgs.builder()
.name("ngrok-connection")
.description("A connection description")
.authorizationType("BASIC")
.authParameters(EventConnectionAuthParametersArgs.builder()
.basic(EventConnectionAuthParametersBasicArgs.builder()
.username("user")
.password("Pass1234!")
.build())
.build())
.build());
}
}
resources:
test:
type: aws:cloudwatch:EventConnection
properties:
name: ngrok-connection
description: A connection description
authorizationType: BASIC
authParameters:
basic:
username: user
password: Pass1234!
Setting authorizationType to BASIC tells EventBridge to use HTTP Basic authentication. The username and password in authParameters.basic are Base64-encoded and sent as an Authorization header. EventBridge manages the encoding; you provide plain credentials.
Authenticate with OAuth client credentials flow
Modern APIs often require OAuth 2.0 client credentials flow, where EventBridge exchanges client ID and secret for access tokens automatically.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.cloudwatch.EventConnection("test", {
name: "ngrok-connection",
description: "A connection description",
authorizationType: "OAUTH_CLIENT_CREDENTIALS",
authParameters: {
oauth: {
authorizationEndpoint: "https://auth.url.com/endpoint",
httpMethod: "GET",
clientParameters: {
clientId: "1234567890",
clientSecret: "Pass1234!",
},
oauthHttpParameters: {
bodies: [{
key: "body-parameter-key",
value: "body-parameter-value",
isValueSecret: false,
}],
headers: [{
key: "header-parameter-key",
value: "header-parameter-value",
isValueSecret: false,
}],
queryStrings: [{
key: "query-string-parameter-key",
value: "query-string-parameter-value",
isValueSecret: false,
}],
},
},
},
});
import pulumi
import pulumi_aws as aws
test = aws.cloudwatch.EventConnection("test",
name="ngrok-connection",
description="A connection description",
authorization_type="OAUTH_CLIENT_CREDENTIALS",
auth_parameters={
"oauth": {
"authorization_endpoint": "https://auth.url.com/endpoint",
"http_method": "GET",
"client_parameters": {
"client_id": "1234567890",
"client_secret": "Pass1234!",
},
"oauth_http_parameters": {
"bodies": [{
"key": "body-parameter-key",
"value": "body-parameter-value",
"is_value_secret": False,
}],
"headers": [{
"key": "header-parameter-key",
"value": "header-parameter-value",
"is_value_secret": False,
}],
"query_strings": [{
"key": "query-string-parameter-key",
"value": "query-string-parameter-value",
"is_value_secret": False,
}],
},
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudwatch.NewEventConnection(ctx, "test", &cloudwatch.EventConnectionArgs{
Name: pulumi.String("ngrok-connection"),
Description: pulumi.String("A connection description"),
AuthorizationType: pulumi.String("OAUTH_CLIENT_CREDENTIALS"),
AuthParameters: &cloudwatch.EventConnectionAuthParametersArgs{
Oauth: &cloudwatch.EventConnectionAuthParametersOauthArgs{
AuthorizationEndpoint: pulumi.String("https://auth.url.com/endpoint"),
HttpMethod: pulumi.String("GET"),
ClientParameters: &cloudwatch.EventConnectionAuthParametersOauthClientParametersArgs{
ClientId: pulumi.String("1234567890"),
ClientSecret: pulumi.String("Pass1234!"),
},
OauthHttpParameters: &cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersArgs{
Bodies: cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersBodyArray{
&cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersBodyArgs{
Key: pulumi.String("body-parameter-key"),
Value: pulumi.String("body-parameter-value"),
IsValueSecret: pulumi.Bool(false),
},
},
Headers: cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersHeaderArray{
&cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersHeaderArgs{
Key: pulumi.String("header-parameter-key"),
Value: pulumi.String("header-parameter-value"),
IsValueSecret: pulumi.Bool(false),
},
},
QueryStrings: cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersQueryStringArray{
&cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersQueryStringArgs{
Key: pulumi.String("query-string-parameter-key"),
Value: pulumi.String("query-string-parameter-value"),
IsValueSecret: pulumi.Bool(false),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.CloudWatch.EventConnection("test", new()
{
Name = "ngrok-connection",
Description = "A connection description",
AuthorizationType = "OAUTH_CLIENT_CREDENTIALS",
AuthParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersArgs
{
Oauth = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthArgs
{
AuthorizationEndpoint = "https://auth.url.com/endpoint",
HttpMethod = "GET",
ClientParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthClientParametersArgs
{
ClientId = "1234567890",
ClientSecret = "Pass1234!",
},
OauthHttpParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthOauthHttpParametersArgs
{
Bodies = new[]
{
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthOauthHttpParametersBodyArgs
{
Key = "body-parameter-key",
Value = "body-parameter-value",
IsValueSecret = false,
},
},
Headers = new[]
{
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthOauthHttpParametersHeaderArgs
{
Key = "header-parameter-key",
Value = "header-parameter-value",
IsValueSecret = false,
},
},
QueryStrings = new[]
{
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthOauthHttpParametersQueryStringArgs
{
Key = "query-string-parameter-key",
Value = "query-string-parameter-value",
IsValueSecret = false,
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.EventConnection;
import com.pulumi.aws.cloudwatch.EventConnectionArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersOauthArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersOauthClientParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersOauthOauthHttpParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new EventConnection("test", EventConnectionArgs.builder()
.name("ngrok-connection")
.description("A connection description")
.authorizationType("OAUTH_CLIENT_CREDENTIALS")
.authParameters(EventConnectionAuthParametersArgs.builder()
.oauth(EventConnectionAuthParametersOauthArgs.builder()
.authorizationEndpoint("https://auth.url.com/endpoint")
.httpMethod("GET")
.clientParameters(EventConnectionAuthParametersOauthClientParametersArgs.builder()
.clientId("1234567890")
.clientSecret("Pass1234!")
.build())
.oauthHttpParameters(EventConnectionAuthParametersOauthOauthHttpParametersArgs.builder()
.bodies(EventConnectionAuthParametersOauthOauthHttpParametersBodyArgs.builder()
.key("body-parameter-key")
.value("body-parameter-value")
.isValueSecret(false)
.build())
.headers(EventConnectionAuthParametersOauthOauthHttpParametersHeaderArgs.builder()
.key("header-parameter-key")
.value("header-parameter-value")
.isValueSecret(false)
.build())
.queryStrings(EventConnectionAuthParametersOauthOauthHttpParametersQueryStringArgs.builder()
.key("query-string-parameter-key")
.value("query-string-parameter-value")
.isValueSecret(false)
.build())
.build())
.build())
.build())
.build());
}
}
resources:
test:
type: aws:cloudwatch:EventConnection
properties:
name: ngrok-connection
description: A connection description
authorizationType: OAUTH_CLIENT_CREDENTIALS
authParameters:
oauth:
authorizationEndpoint: https://auth.url.com/endpoint
httpMethod: GET
clientParameters:
clientId: '1234567890'
clientSecret: Pass1234!
oauthHttpParameters:
bodies:
- key: body-parameter-key
value: body-parameter-value
isValueSecret: false
headers:
- key: header-parameter-key
value: header-parameter-value
isValueSecret: false
queryStrings:
- key: query-string-parameter-key
value: query-string-parameter-value
isValueSecret: false
OAuth connections require an authorizationEndpoint where EventBridge requests tokens, an httpMethod (GET or POST), and clientParameters with your client ID and secret. The oauthHttpParameters block lets you add custom headers, query strings, or body parameters to the token request. EventBridge handles token refresh automatically when tokens expire.
Add custom headers and query parameters to requests
Some integrations require additional headers, query strings, or body parameters beyond authentication. Invocation parameters let you inject these values into every request EventBridge sends.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.cloudwatch.EventConnection("test", {
name: "ngrok-connection",
description: "A connection description",
authorizationType: "BASIC",
authParameters: {
basic: {
username: "user",
password: "Pass1234!",
},
invocationHttpParameters: {
bodies: [
{
key: "body-parameter-key",
value: "body-parameter-value",
isValueSecret: false,
},
{
key: "body-parameter-key2",
value: "body-parameter-value2",
isValueSecret: true,
},
],
headers: [{
key: "header-parameter-key",
value: "header-parameter-value",
isValueSecret: false,
}],
queryStrings: [{
key: "query-string-parameter-key",
value: "query-string-parameter-value",
isValueSecret: false,
}],
},
},
});
import pulumi
import pulumi_aws as aws
test = aws.cloudwatch.EventConnection("test",
name="ngrok-connection",
description="A connection description",
authorization_type="BASIC",
auth_parameters={
"basic": {
"username": "user",
"password": "Pass1234!",
},
"invocation_http_parameters": {
"bodies": [
{
"key": "body-parameter-key",
"value": "body-parameter-value",
"is_value_secret": False,
},
{
"key": "body-parameter-key2",
"value": "body-parameter-value2",
"is_value_secret": True,
},
],
"headers": [{
"key": "header-parameter-key",
"value": "header-parameter-value",
"is_value_secret": False,
}],
"query_strings": [{
"key": "query-string-parameter-key",
"value": "query-string-parameter-value",
"is_value_secret": False,
}],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudwatch.NewEventConnection(ctx, "test", &cloudwatch.EventConnectionArgs{
Name: pulumi.String("ngrok-connection"),
Description: pulumi.String("A connection description"),
AuthorizationType: pulumi.String("BASIC"),
AuthParameters: &cloudwatch.EventConnectionAuthParametersArgs{
Basic: &cloudwatch.EventConnectionAuthParametersBasicArgs{
Username: pulumi.String("user"),
Password: pulumi.String("Pass1234!"),
},
InvocationHttpParameters: &cloudwatch.EventConnectionAuthParametersInvocationHttpParametersArgs{
Bodies: cloudwatch.EventConnectionAuthParametersInvocationHttpParametersBodyArray{
&cloudwatch.EventConnectionAuthParametersInvocationHttpParametersBodyArgs{
Key: pulumi.String("body-parameter-key"),
Value: pulumi.String("body-parameter-value"),
IsValueSecret: pulumi.Bool(false),
},
&cloudwatch.EventConnectionAuthParametersInvocationHttpParametersBodyArgs{
Key: pulumi.String("body-parameter-key2"),
Value: pulumi.String("body-parameter-value2"),
IsValueSecret: pulumi.Bool(true),
},
},
Headers: cloudwatch.EventConnectionAuthParametersInvocationHttpParametersHeaderArray{
&cloudwatch.EventConnectionAuthParametersInvocationHttpParametersHeaderArgs{
Key: pulumi.String("header-parameter-key"),
Value: pulumi.String("header-parameter-value"),
IsValueSecret: pulumi.Bool(false),
},
},
QueryStrings: cloudwatch.EventConnectionAuthParametersInvocationHttpParametersQueryStringArray{
&cloudwatch.EventConnectionAuthParametersInvocationHttpParametersQueryStringArgs{
Key: pulumi.String("query-string-parameter-key"),
Value: pulumi.String("query-string-parameter-value"),
IsValueSecret: pulumi.Bool(false),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.CloudWatch.EventConnection("test", new()
{
Name = "ngrok-connection",
Description = "A connection description",
AuthorizationType = "BASIC",
AuthParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersArgs
{
Basic = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersBasicArgs
{
Username = "user",
Password = "Pass1234!",
},
InvocationHttpParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersInvocationHttpParametersArgs
{
Bodies = new[]
{
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersInvocationHttpParametersBodyArgs
{
Key = "body-parameter-key",
Value = "body-parameter-value",
IsValueSecret = false,
},
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersInvocationHttpParametersBodyArgs
{
Key = "body-parameter-key2",
Value = "body-parameter-value2",
IsValueSecret = true,
},
},
Headers = new[]
{
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersInvocationHttpParametersHeaderArgs
{
Key = "header-parameter-key",
Value = "header-parameter-value",
IsValueSecret = false,
},
},
QueryStrings = new[]
{
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersInvocationHttpParametersQueryStringArgs
{
Key = "query-string-parameter-key",
Value = "query-string-parameter-value",
IsValueSecret = false,
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.EventConnection;
import com.pulumi.aws.cloudwatch.EventConnectionArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersBasicArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersInvocationHttpParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new EventConnection("test", EventConnectionArgs.builder()
.name("ngrok-connection")
.description("A connection description")
.authorizationType("BASIC")
.authParameters(EventConnectionAuthParametersArgs.builder()
.basic(EventConnectionAuthParametersBasicArgs.builder()
.username("user")
.password("Pass1234!")
.build())
.invocationHttpParameters(EventConnectionAuthParametersInvocationHttpParametersArgs.builder()
.bodies(
EventConnectionAuthParametersInvocationHttpParametersBodyArgs.builder()
.key("body-parameter-key")
.value("body-parameter-value")
.isValueSecret(false)
.build(),
EventConnectionAuthParametersInvocationHttpParametersBodyArgs.builder()
.key("body-parameter-key2")
.value("body-parameter-value2")
.isValueSecret(true)
.build())
.headers(EventConnectionAuthParametersInvocationHttpParametersHeaderArgs.builder()
.key("header-parameter-key")
.value("header-parameter-value")
.isValueSecret(false)
.build())
.queryStrings(EventConnectionAuthParametersInvocationHttpParametersQueryStringArgs.builder()
.key("query-string-parameter-key")
.value("query-string-parameter-value")
.isValueSecret(false)
.build())
.build())
.build())
.build());
}
}
resources:
test:
type: aws:cloudwatch:EventConnection
properties:
name: ngrok-connection
description: A connection description
authorizationType: BASIC
authParameters:
basic:
username: user
password: Pass1234!
invocationHttpParameters:
bodies:
- key: body-parameter-key
value: body-parameter-value
isValueSecret: false
- key: body-parameter-key2
value: body-parameter-value2
isValueSecret: true
headers:
- key: header-parameter-key
value: header-parameter-value
isValueSecret: false
queryStrings:
- key: query-string-parameter-key
value: query-string-parameter-value
isValueSecret: false
The invocationHttpParameters block adds custom data to outbound requests. Each parameter has a key, value, and isValueSecret flag. When isValueSecret is true, EventBridge encrypts the value. This example extends Basic authentication with custom headers, query strings, and body parameters that appear in every request.
Connect to private APIs via VPC Lattice
Private APIs that aren’t exposed to the internet require connectivity configuration to route requests through VPC Lattice resource configurations.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.cloudwatch.EventConnection("test", {
name: "private-api-connection",
description: "A connection to a private API",
authorizationType: "OAUTH_CLIENT_CREDENTIALS",
authParameters: {
connectivityParameters: {
resourceParameters: {
resourceConfigurationArn: "arn:aws:vpc-lattice:us-east-1:12345678910:resourceconfiguration/rcfg-12345678910",
},
},
oauth: {
authorizationEndpoint: "https://private-api.example.com/auth",
httpMethod: "POST",
clientParameters: {
clientId: "1234567890",
clientSecret: "Pass1234!",
},
oauthHttpParameters: {
bodies: [{
key: "grant_type",
value: "client_credentials",
isValueSecret: false,
}],
},
},
},
});
import pulumi
import pulumi_aws as aws
test = aws.cloudwatch.EventConnection("test",
name="private-api-connection",
description="A connection to a private API",
authorization_type="OAUTH_CLIENT_CREDENTIALS",
auth_parameters={
"connectivity_parameters": {
"resource_parameters": {
"resource_configuration_arn": "arn:aws:vpc-lattice:us-east-1:12345678910:resourceconfiguration/rcfg-12345678910",
},
},
"oauth": {
"authorization_endpoint": "https://private-api.example.com/auth",
"http_method": "POST",
"client_parameters": {
"client_id": "1234567890",
"client_secret": "Pass1234!",
},
"oauth_http_parameters": {
"bodies": [{
"key": "grant_type",
"value": "client_credentials",
"is_value_secret": False,
}],
},
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudwatch.NewEventConnection(ctx, "test", &cloudwatch.EventConnectionArgs{
Name: pulumi.String("private-api-connection"),
Description: pulumi.String("A connection to a private API"),
AuthorizationType: pulumi.String("OAUTH_CLIENT_CREDENTIALS"),
AuthParameters: &cloudwatch.EventConnectionAuthParametersArgs{
ConnectivityParameters: &cloudwatch.EventConnectionAuthParametersConnectivityParametersArgs{
ResourceParameters: &cloudwatch.EventConnectionAuthParametersConnectivityParametersResourceParametersArgs{
ResourceConfigurationArn: pulumi.String("arn:aws:vpc-lattice:us-east-1:12345678910:resourceconfiguration/rcfg-12345678910"),
},
},
Oauth: &cloudwatch.EventConnectionAuthParametersOauthArgs{
AuthorizationEndpoint: pulumi.String("https://private-api.example.com/auth"),
HttpMethod: pulumi.String("POST"),
ClientParameters: &cloudwatch.EventConnectionAuthParametersOauthClientParametersArgs{
ClientId: pulumi.String("1234567890"),
ClientSecret: pulumi.String("Pass1234!"),
},
OauthHttpParameters: &cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersArgs{
Bodies: cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersBodyArray{
&cloudwatch.EventConnectionAuthParametersOauthOauthHttpParametersBodyArgs{
Key: pulumi.String("grant_type"),
Value: pulumi.String("client_credentials"),
IsValueSecret: pulumi.Bool(false),
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.CloudWatch.EventConnection("test", new()
{
Name = "private-api-connection",
Description = "A connection to a private API",
AuthorizationType = "OAUTH_CLIENT_CREDENTIALS",
AuthParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersArgs
{
ConnectivityParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersConnectivityParametersArgs
{
ResourceParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersConnectivityParametersResourceParametersArgs
{
ResourceConfigurationArn = "arn:aws:vpc-lattice:us-east-1:12345678910:resourceconfiguration/rcfg-12345678910",
},
},
Oauth = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthArgs
{
AuthorizationEndpoint = "https://private-api.example.com/auth",
HttpMethod = "POST",
ClientParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthClientParametersArgs
{
ClientId = "1234567890",
ClientSecret = "Pass1234!",
},
OauthHttpParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthOauthHttpParametersArgs
{
Bodies = new[]
{
new Aws.CloudWatch.Inputs.EventConnectionAuthParametersOauthOauthHttpParametersBodyArgs
{
Key = "grant_type",
Value = "client_credentials",
IsValueSecret = false,
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.EventConnection;
import com.pulumi.aws.cloudwatch.EventConnectionArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersConnectivityParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersConnectivityParametersResourceParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersOauthArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersOauthClientParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersOauthOauthHttpParametersArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new EventConnection("test", EventConnectionArgs.builder()
.name("private-api-connection")
.description("A connection to a private API")
.authorizationType("OAUTH_CLIENT_CREDENTIALS")
.authParameters(EventConnectionAuthParametersArgs.builder()
.connectivityParameters(EventConnectionAuthParametersConnectivityParametersArgs.builder()
.resourceParameters(EventConnectionAuthParametersConnectivityParametersResourceParametersArgs.builder()
.resourceConfigurationArn("arn:aws:vpc-lattice:us-east-1:12345678910:resourceconfiguration/rcfg-12345678910")
.build())
.build())
.oauth(EventConnectionAuthParametersOauthArgs.builder()
.authorizationEndpoint("https://private-api.example.com/auth")
.httpMethod("POST")
.clientParameters(EventConnectionAuthParametersOauthClientParametersArgs.builder()
.clientId("1234567890")
.clientSecret("Pass1234!")
.build())
.oauthHttpParameters(EventConnectionAuthParametersOauthOauthHttpParametersArgs.builder()
.bodies(EventConnectionAuthParametersOauthOauthHttpParametersBodyArgs.builder()
.key("grant_type")
.value("client_credentials")
.isValueSecret(false)
.build())
.build())
.build())
.build())
.build());
}
}
resources:
test:
type: aws:cloudwatch:EventConnection
properties:
name: private-api-connection
description: A connection to a private API
authorizationType: OAUTH_CLIENT_CREDENTIALS
authParameters:
connectivityParameters:
resourceParameters:
resourceConfigurationArn: arn:aws:vpc-lattice:us-east-1:12345678910:resourceconfiguration/rcfg-12345678910
oauth:
authorizationEndpoint: https://private-api.example.com/auth
httpMethod: POST
clientParameters:
clientId: '1234567890'
clientSecret: Pass1234!
oauthHttpParameters:
bodies:
- key: grant_type
value: client_credentials
isValueSecret: false
The connectivityParameters.resourceParameters block references a VPC Lattice resource configuration by ARN. This routes EventBridge requests through your VPC to reach private endpoints. The example combines OAuth authentication with private networking, showing how to authenticate and route to internal APIs.
Encrypt connection secrets with customer-managed keys
Organizations with strict security requirements can use KMS customer-managed keys to encrypt connection credentials instead of AWS-managed keys.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const current = aws.getCallerIdentity({});
const currentGetPartition = aws.getPartition({});
const test = new aws.kms.Key("test", {
deletionWindowInDays: 7,
policy: JSON.stringify({
Version: "2012-10-17",
Id: "key-policy-example",
Statement: [
{
Sid: "Enable IAM User Permissions",
Effect: "Allow",
Principal: {
AWS: Promise.all([currentGetPartition, current]).then(([currentGetPartition, current]) => `arn:${currentGetPartition.partition}:iam::${current.accountId}:root`),
},
Action: "kms:*",
Resource: "*",
},
{
Sid: "Allow use of the key",
Effect: "Allow",
Principal: {
AWS: Promise.all([currentGetPartition, current]).then(([currentGetPartition, current]) => `arn:${currentGetPartition.partition}:iam::${current.accountId}:root`),
},
Action: [
"kms:DescribeKey",
"kms:Decrypt",
"kms:GenerateDataKey",
],
Resource: "*",
Condition: {
StringLike: {
"kms:ViaService": "secretsmanager.*.amazonaws.com",
"kms:EncryptionContext:SecretARN": ["arn:aws:secretsmanager:*:*:secret:events!connection/*"],
},
},
},
],
}),
tags: {
EventBridgeApiDestinations: "true",
},
});
const testEventConnection = new aws.cloudwatch.EventConnection("test", {
name: "ngrok-connection",
description: "A connection description",
authorizationType: "BASIC",
authParameters: {
basic: {
username: "user",
password: "Pass1234!",
},
},
kmsKeyIdentifier: example.id,
});
import pulumi
import json
import pulumi_aws as aws
current = aws.get_caller_identity()
current_get_partition = aws.get_partition()
test = aws.kms.Key("test",
deletion_window_in_days=7,
policy=json.dumps({
"Version": "2012-10-17",
"Id": "key-policy-example",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:{current_get_partition.partition}:iam::{current.account_id}:root",
},
"Action": "kms:*",
"Resource": "*",
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": f"arn:{current_get_partition.partition}:iam::{current.account_id}:root",
},
"Action": [
"kms:DescribeKey",
"kms:Decrypt",
"kms:GenerateDataKey",
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "secretsmanager.*.amazonaws.com",
"kms:EncryptionContext:SecretARN": ["arn:aws:secretsmanager:*:*:secret:events!connection/*"],
},
},
},
],
}),
tags={
"EventBridgeApiDestinations": "true",
})
test_event_connection = aws.cloudwatch.EventConnection("test",
name="ngrok-connection",
description="A connection description",
authorization_type="BASIC",
auth_parameters={
"basic": {
"username": "user",
"password": "Pass1234!",
},
},
kms_key_identifier=example["id"])
package main
import (
"encoding/json"
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/cloudwatch"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
if err != nil {
return err
}
currentGetPartition, err := aws.GetPartition(ctx, &aws.GetPartitionArgs{}, nil)
if err != nil {
return err
}
tmpJSON0, err := json.Marshal(map[string]interface{}{
"Version": "2012-10-17",
"Id": "key-policy-example",
"Statement": []interface{}{
map[string]interface{}{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:%v:iam::%v:root", currentGetPartition.Partition, current.AccountId),
},
"Action": "kms:*",
"Resource": "*",
},
map[string]interface{}{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": map[string]interface{}{
"AWS": fmt.Sprintf("arn:%v:iam::%v:root", currentGetPartition.Partition, current.AccountId),
},
"Action": []string{
"kms:DescribeKey",
"kms:Decrypt",
"kms:GenerateDataKey",
},
"Resource": "*",
"Condition": map[string]interface{}{
"StringLike": map[string]interface{}{
"kms:ViaService": "secretsmanager.*.amazonaws.com",
"kms:EncryptionContext:SecretARN": []string{
"arn:aws:secretsmanager:*:*:secret:events!connection/*",
},
},
},
},
},
})
if err != nil {
return err
}
json0 := string(tmpJSON0)
_, err = kms.NewKey(ctx, "test", &kms.KeyArgs{
DeletionWindowInDays: pulumi.Int(7),
Policy: pulumi.String(json0),
Tags: pulumi.StringMap{
"EventBridgeApiDestinations": pulumi.String("true"),
},
})
if err != nil {
return err
}
_, err = cloudwatch.NewEventConnection(ctx, "test", &cloudwatch.EventConnectionArgs{
Name: pulumi.String("ngrok-connection"),
Description: pulumi.String("A connection description"),
AuthorizationType: pulumi.String("BASIC"),
AuthParameters: &cloudwatch.EventConnectionAuthParametersArgs{
Basic: &cloudwatch.EventConnectionAuthParametersBasicArgs{
Username: pulumi.String("user"),
Password: pulumi.String("Pass1234!"),
},
},
KmsKeyIdentifier: pulumi.Any(example.Id),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var current = Aws.GetCallerIdentity.Invoke();
var currentGetPartition = Aws.GetPartition.Invoke();
var test = new Aws.Kms.Key("test", new()
{
DeletionWindowInDays = 7,
Policy = JsonSerializer.Serialize(new Dictionary<string, object?>
{
["Version"] = "2012-10-17",
["Id"] = "key-policy-example",
["Statement"] = new[]
{
new Dictionary<string, object?>
{
["Sid"] = "Enable IAM User Permissions",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = Output.Tuple(currentGetPartition, current).Apply(values =>
{
var currentGetPartition = values.Item1;
var current = values.Item2;
return $"arn:{currentGetPartition.Apply(getPartitionResult => getPartitionResult.Partition)}:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root";
}),
},
["Action"] = "kms:*",
["Resource"] = "*",
},
new Dictionary<string, object?>
{
["Sid"] = "Allow use of the key",
["Effect"] = "Allow",
["Principal"] = new Dictionary<string, object?>
{
["AWS"] = Output.Tuple(currentGetPartition, current).Apply(values =>
{
var currentGetPartition = values.Item1;
var current = values.Item2;
return $"arn:{currentGetPartition.Apply(getPartitionResult => getPartitionResult.Partition)}:iam::{current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId)}:root";
}),
},
["Action"] = new[]
{
"kms:DescribeKey",
"kms:Decrypt",
"kms:GenerateDataKey",
},
["Resource"] = "*",
["Condition"] = new Dictionary<string, object?>
{
["StringLike"] = new Dictionary<string, object?>
{
["kms:ViaService"] = "secretsmanager.*.amazonaws.com",
["kms:EncryptionContext:SecretARN"] = new[]
{
"arn:aws:secretsmanager:*:*:secret:events!connection/*",
},
},
},
},
},
}),
Tags =
{
{ "EventBridgeApiDestinations", "true" },
},
});
var testEventConnection = new Aws.CloudWatch.EventConnection("test", new()
{
Name = "ngrok-connection",
Description = "A connection description",
AuthorizationType = "BASIC",
AuthParameters = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersArgs
{
Basic = new Aws.CloudWatch.Inputs.EventConnectionAuthParametersBasicArgs
{
Username = "user",
Password = "Pass1234!",
},
},
KmsKeyIdentifier = example.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.inputs.GetPartitionArgs;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.cloudwatch.EventConnection;
import com.pulumi.aws.cloudwatch.EventConnectionArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersArgs;
import com.pulumi.aws.cloudwatch.inputs.EventConnectionAuthParametersBasicArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getCallerIdentity(GetCallerIdentityArgs.builder()
.build());
final var currentGetPartition = AwsFunctions.getPartition(GetPartitionArgs.builder()
.build());
var test = new Key("test", KeyArgs.builder()
.deletionWindowInDays(7)
.policy(serializeJson(
jsonObject(
jsonProperty("Version", "2012-10-17"),
jsonProperty("Id", "key-policy-example"),
jsonProperty("Statement", jsonArray(
jsonObject(
jsonProperty("Sid", "Enable IAM User Permissions"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:%s:iam::%s:root", currentGetPartition.partition(),current.accountId()))
)),
jsonProperty("Action", "kms:*"),
jsonProperty("Resource", "*")
),
jsonObject(
jsonProperty("Sid", "Allow use of the key"),
jsonProperty("Effect", "Allow"),
jsonProperty("Principal", jsonObject(
jsonProperty("AWS", String.format("arn:%s:iam::%s:root", currentGetPartition.partition(),current.accountId()))
)),
jsonProperty("Action", jsonArray(
"kms:DescribeKey",
"kms:Decrypt",
"kms:GenerateDataKey"
)),
jsonProperty("Resource", "*"),
jsonProperty("Condition", jsonObject(
jsonProperty("StringLike", jsonObject(
jsonProperty("kms:ViaService", "secretsmanager.*.amazonaws.com"),
jsonProperty("kms:EncryptionContext:SecretARN", jsonArray("arn:aws:secretsmanager:*:*:secret:events!connection/*"))
))
))
)
))
)))
.tags(Map.of("EventBridgeApiDestinations", "true"))
.build());
var testEventConnection = new EventConnection("testEventConnection", EventConnectionArgs.builder()
.name("ngrok-connection")
.description("A connection description")
.authorizationType("BASIC")
.authParameters(EventConnectionAuthParametersArgs.builder()
.basic(EventConnectionAuthParametersBasicArgs.builder()
.username("user")
.password("Pass1234!")
.build())
.build())
.kmsKeyIdentifier(example.id())
.build());
}
}
resources:
test:
type: aws:kms:Key
properties:
deletionWindowInDays: 7
policy:
fn::toJSON:
Version: 2012-10-17
Id: key-policy-example
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: arn:${currentGetPartition.partition}:iam::${current.accountId}:root
Action: kms:*
Resource: '*'
- Sid: Allow use of the key
Effect: Allow
Principal:
AWS: arn:${currentGetPartition.partition}:iam::${current.accountId}:root
Action:
- kms:DescribeKey
- kms:Decrypt
- kms:GenerateDataKey
Resource: '*'
Condition:
StringLike:
kms:ViaService: secretsmanager.*.amazonaws.com
kms:EncryptionContext:SecretARN:
- arn:aws:secretsmanager:*:*:secret:events!connection/*
tags:
EventBridgeApiDestinations: 'true'
testEventConnection:
type: aws:cloudwatch:EventConnection
name: test
properties:
name: ngrok-connection
description: A connection description
authorizationType: BASIC
authParameters:
basic:
username: user
password: Pass1234!
kmsKeyIdentifier: ${example.id}
variables:
current:
fn::invoke:
function: aws:getCallerIdentity
arguments: {}
currentGetPartition:
fn::invoke:
function: aws:getPartition
arguments: {}
The kmsKeyIdentifier property specifies a KMS key for encrypting connection secrets. EventBridge stores credentials in Secrets Manager, which uses your KMS key for encryption. The KMS key policy must grant EventBridge access to encrypt and decrypt via Secrets Manager, as shown in the policy’s Condition block that restricts usage to the secretsmanager service.
Beyond these examples
These snippets focus on specific connection-level features: authentication methods (API key, Basic, OAuth), request customization (headers, query strings, body parameters), and private API connectivity and encryption. They’re intentionally minimal rather than complete event routing configurations.
The examples may reference pre-existing infrastructure such as VPC Lattice resource configurations (for private APIs) and KMS customer-managed keys (for encryption). They focus on connection configuration rather than the full EventBridge event flow.
To keep things focused, common connection patterns are omitted, including:
- API destination configuration (connections are used by destinations)
- Event rule and target setup (how events flow to destinations)
- Secret rotation and credential management
- Connection testing and validation
These omissions are intentional: the goal is to illustrate how each connection feature is wired, not provide drop-in event routing modules. See the EventBridge Connection resource reference for all available configuration options.
Let's configure AWS EventBridge Connections
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Authentication & Authorization
What authentication types are supported for EventBridge connections?
EventBridge connections support three authentication types:
API_KEY, BASIC, and OAUTH_CLIENT_CREDENTIALS.How do I configure OAuth authentication for a connection?
Set
authorizationType to OAUTH_CLIENT_CREDENTIALS and provide an oauth block with authorizationEndpoint, httpMethod, clientParameters (client ID and secret), and optionally oauthHttpParameters for additional headers, body, or query string parameters.What's the difference between invocationHttpParameters and oauthHttpParameters?
invocationHttpParameters are sent with every API invocation, while oauthHttpParameters are sent only during OAuth token exchange.Can I mark HTTP parameters as secret?
Yes, set
isValueSecret to true on body, header, or query string parameters to mark them as sensitive values.Encryption & Security
How do I encrypt connection secrets with my own KMS key?
Specify
kmsKeyIdentifier with your KMS key ARN, ID, alias, or alias ARN. The key policy must allow kms:DescribeKey, kms:Decrypt, and kms:GenerateDataKey actions with a ViaService condition for secretsmanager.*.amazonaws.com and an EncryptionContext condition for events!connection/* secrets.Where are connection credentials stored?
EventBridge stores connection credentials in AWS Secrets Manager. The ARN is available in the
secretArn output property.Private API Connectivity
How do I connect to a private API using VPC Lattice?
Use
connectivityParameters with a resourceParameters block containing the resourceConfigurationArn of your VPC Lattice resource configuration.Configuration Limits & Constraints
Can I rename a connection after creation?
No, the
name property is immutable and requires resource replacement to change.What are the character limits for connection name and description?
Connection names have a maximum of 64 characters (numbers, letters,
., -, _). Descriptions have a maximum of 512 characters.How many authParameters blocks can I configure?
Only one
authParameters block is allowed per connection. All authorization configuration must be contained within this single block.Is EventBridge connection the same as CloudWatch Events connection?
Yes, EventBridge was formerly known as CloudWatch Events. The functionality is identical.
Which AWS region will my connection be created in?
Connections are created in the region specified by the
region property, which defaults to the region configured in your Pulumi provider.Using a different cloud?
Explore integration guides for other cloud providers: