EventBridge API Destinations are a powerful way to send events to HTTP endpoints, but securing them requires careful attention to authentication.
Let’s see an API Destination in action. Imagine we want to send an event to a webhook for a new user signup.
Here’s a simplified example of an API Destination configuration:
{
"Name": "MyWebhookDestination",
"Description": "Sends new user events to our CRM webhook",
"ConnectionArn": "arn:aws:events:us-east-1:123456789012:connection/MyBasicAuthConnection/...",
"InvocationEndpoint": "https://api.example.com/v1/webhooks/new-user",
"HttpMethod": "POST",
"RetryPolicy": {
"MaximumRetryAttempts": 3,
"MaximumEventAgeInSeconds": 60
},
"HttpParameters": {
"HeaderParameters": {
"Content-Type": "application/json"
}
}
}
The ConnectionArn is the key piece here. It points to an EventBridge Connection resource, which stores the authentication credentials. EventBridge uses this connection to authenticate its requests to your InvocationEndpoint.
The core problem API Destinations solve is enabling EventBridge to send events to any HTTP endpoint, not just other AWS services. This opens up a vast array of integrations, from SaaS applications to on-premises servers. Internally, EventBridge manages the outbound HTTP requests, including retries and error handling, based on the RetryPolicy you define.
You control the integration through the InvocationEndpoint, HttpMethod, HttpParameters (for headers and query strings), and crucially, the authentication method configured in the associated ConnectionArn.
The most common authentication methods for API Destinations are:
- Basic Authentication: This is straightforward, using a username and password. The
Connectionresource will store these, and EventBridge will automatically include theAuthorization: Basic <base64-encoded-username:password>header in its requests. - OAuth 2.0: This is more complex but more secure for many modern applications. You configure EventBridge to act as an OAuth client, obtaining an access token from an authorization server. This often involves a client ID, client secret, and scopes. EventBridge can be configured to automatically refresh tokens.
- API Key: Some services use a simple API key passed in a header or query parameter. You configure the key name and value within the
Connectionresource.
When setting up a Connection for Basic Authentication, you’ll provide the username and password. EventBridge then Base64-encodes these and adds them to the Authorization header.
For OAuth 2.0, you’ll need to specify the authorization endpoint, token endpoint, client ID, client secret, and the desired scopes. EventBridge will handle the token exchange and refresh process.
API Key authentication is the simplest: you specify the header name (e.g., X-API-Key) and the secret value.
The InvocationEndpoint is the target URL for your events. EventBridge will make POST requests by default if no HttpMethod is specified, but you can explicitly set it to GET, PUT, POST, DELETE, or PATCH.
The HttpParameters allow you to add custom headers or query string parameters to the outgoing request. This is useful for setting Content-Type, passing tracking IDs, or including other metadata the target endpoint expects.
The RetryPolicy is essential for robust integrations. MaximumRetryAttempts controls how many times EventBridge will retry a failed request, and MaximumEventAgeInSeconds limits how long an event is considered valid for delivery.
When configuring the Connection resource, you’ll choose the authentication type and provide the necessary credentials. For example, using the AWS CLI for a Basic Auth connection:
aws events create-connection \
--name MyBasicAuthConnection \
--authorization-type BASIC \
--auth-parameters Basic={Username="myuser",Password="mypassword"} \
--region us-east-1
For an API Key connection:
aws events create-connection \
--name MyApiKeyConnection \
--authorization-type API_KEY \
--auth-parameters ApiKey={ApiKeyName="X-Custom-Auth",ApiKeySecret="my-secret-key-value"} \
--region us-east-1
EventBridge uses AWS Secrets Manager behind the scenes to securely store the credentials associated with your Connections. This means you don’t have to manage secrets directly in your EventBridge configuration.
A common point of confusion is that the ConnectionArn must be created before you create the API Destination that uses it. EventBridge will not create the connection for you during API Destination creation.
The most surprising true thing about EventBridge API Destinations is that they allow you to send events to any publicly accessible HTTP endpoint, and the authentication is handled entirely by EventBridge using the configured Connection. This means you don’t need to write custom Lambda functions or other intermediary services just to authenticate an outbound webhook.
Once you have your API Destination configured, you’ll need to set up a rule that matches the events you want to send and targets this API Destination. The rule’s input transformer can then shape the event data before it’s sent.
The next concept to explore is how to handle different authentication schemes for different endpoints, and the implications of using OAuth 2.0 flows with EventBridge.