Connections for HTTP endpoint targets in Amazon EventBridge - Amazon EventBridge
Authorization methods

Connections for HTTP endpoint targets in Amazon EventBridge

A connection defines the authorization method and credentials for EventBridge to use in connecting to a given HTTP endpoint. When you configure the authorization settings and create a connection, it creates a secret in AWS Secrets Manager to securely store the authorization information. You can also add additional parameters to include in the connection as appropriate for your HTTP endpoint target.

Use connections with:

  • API destinations

    When you create an API destination, you specify a connection to use for it. You can choose an existing connection from your account, or create a connection when you create an API destination.

  • HTTP tasks in AWS Step Functions

    An HTTP Task is a type of Task workflow state that lets you call any public, third-party API, such as Salesforce and Stripe, in your workflows. The task uses a connection to specify the authorization type and credentials to use for authorizing the third-party API.

    For more information, see Call third-party APIs in Step Functions workflows in the Step Functions User Guide.

EventBridge and Step Functions use connections as authorization configurations for HTTP endpoints.

Authorization methods for connections

EventBridge connections support the following authorization methods:

  • Basic

  • API Key

    For Basic and API Key authorization, EventBridge populates the required authorization headers for you.

  • OAuth

    For OAuth authorization, EventBridge also exchanges your client ID and secret for an access token and then manages it securely.

    OAUTH tokens are refreshed when a 401 or 407 response is returned.

When you create a connection, you can also include the header, body, and query parameters that are required for authorization with an endpoint. You can use the same connection for more than one HTTP endpoint if the authorization for the endpoint is the same.

When you create a connection and add authorization parameters, EventBridge creates a secret in AWS Secrets Manager. The cost of both storing and accessing the Secrets Manager secret is included with the charge for using an API destination. To learn more about best practices for using secrets with API destinations, see AWS::Events::ApiDestination in the CloudFormation User Guide.

Note

To successfully create or update a connection, you must use an account that has permission to use Secrets Manager. The required permission is included in the AmazonEventBridgeFullAccess policy. The same permission is granted to the service-linked role that's created in your account for the connection.