AWS Event Bridge and SailPoint Event Triggers

@neil.mcglennon, David Bullas, and I were guest speakers on the AWS “Howdy Partner” Twitch stream. The stream was an in-depth demonstration of how to use AWS Event Bridge to consume and act on SailPoint event triggers within the AWS ecosystem. @neil.mcglennon presented three unique use cases that really show off the power of these two platforms. You can check out the recording at Twitch. The link to the code samples is on our public GitHub repository.

4 Likes

Great video guys! Such an exciting future for IDNow with everything you all are building.

Glad you enjoyed the video! There will be more content to come as we continue to add more content and resources to the developer community; stay tuned!

The video was helpful, thanks.

Where I’m apparently having trouble is creating an EventBridge rule event pattern that will match whatever IDN is sending to EventBridge. The rule builder in the AWS console has apparently changed since the video was recorded, and I don’t know if that’s contributing to my difficulties. In any case, here are the details on where I’m having trouble with the event pattern.

In the “Build event pattern” wizard, I’m selecting an event source of “Other”, as that’s what it indicates partner events are. For the “Sample event”, I’m taking the JSON from the activity log on the event trigger subscription in IDN.


For the “Event pattern” I’m trying to create something that will always match. I create a pattern with an expression that says no field named “gobbledygook” exists in the event, which is logically true. However, when I test the pattern, it gives the error ‘Sample event did not match the event pattern’.


No matter what I try for an event pattern, I’m unable to create a pattern that matches the sample event based on the JSON I got from the activity log on the event trigger subscription in IDN. This is apparently why I am unable to use AWS to take action on the event from IDN, because the EventBridge rule will never proceed unless there’s a match on the event pattern.

By the way, in the “Build event pattern” wizard, if I take one of AWS’s predefined sample events, I am able to create an event pattern that matches the same expression saying that no field named “gobbledygook” exists in the event. So it doesn’t seem that my event pattern is the problem, but rather the event data that’s supposed to be coming from IDN seems to be the problem.

What do I need to do to get EventBridge to accept the event from IDN so that I can begin taking action on it?
Thanks!

Hi Thad,

In EventBridge, event patterns are used to filter the event stream, so that only certain events on EventBridge go to the target(s) you are defining. AWS have a pretty good article about it here: Amazon EventBridge event patterns - Amazon EventBridge

For me, since I do the filtering on the IdentityNow side, I select All Events which then get sent to the target. This seems to work for my use cases. I’d suggest trying this first, sending to something like CloudWatch (so you can see the event payload), and then go back and work on the event filtering.

If you want to continue filtering, if your example event, say identity-attributes-created looks like this:

{
  "identity": {
    "id": "ee769173319b41d19ccec6cea52f237b",
    "name": "john.doe",
    "type": "IDENTITY"
  },
  "changes": [
    {
      "attribute": "department",
      "oldValue": "sales",
      "newValue": "marketing"
    },
    {
      "attribute": "manager",
      "oldValue": {
        "id": "ee769173319b41d19ccec6c235423237b",
        "name": "nice.guy",
        "type": "IDENTITY"
      },
      "newValue": {
        "id": "ee769173319b41d19ccec6c235423236c",
        "name": "mean.guy",
        "type": "IDENTITY"
      }
    },
    {
      "attribute": "email",
      "oldValue": "[email protected]",
      "newValue": "[email protected]"
    }
  ]
}

Then over on EventBridge it might look like this:

{
    "version": "0",
    "id": "ff2b160d-2d99-e3f9-2b36-62412f9818c0",
    "detail-type": "idn:identity-attributes changed",
    "source": "aws.partner/sailpoint.com/ab2bf374-b793-4327-a5be-c5aa0dca1a44/idn/identity-attributes changed",
    "account": "122765469379",
    "time": "2022-04-07T16:31:08Z",
    "region": "us-east-1",
    "resources": [],
    "detail": {
        "identity": {
            "id": "ee769173319b41d19ccec6cea52f237b",
            "name": "john.doe",
            "type": "IDENTITY"
        },
        "changes": [{
                "attribute": "department",
                "oldValue": "sales",
                "newValue": "marketing"
            },
            {
                "attribute": "manager",
                "oldValue": {
                    "id": "ee769173319b41d19ccec6c235423237b",
                    "name": "nice.guy",
                    "type": "IDENTITY"
                },
                "newValue": {
                    "id": "ee769173319b41d19ccec6c235423236c",
                    "name": "mean.guy",
                    "type": "IDENTITY"
                }
            },
            {
                "attribute": "email",
                "oldValue": "[email protected]",
                "newValue": "[email protected]"
            }
        ]
    },
    "_metadata": {
        "triggerType": "fireAndForget",
        "triggerId": "idn:identity-attributes changed",
        "invocationId": "da0fe1ee-12ec-474d-a2be-aced87eb6c1b"
    }
}
}

From here you could do a policy that only applies to these types of events by using detail-type:

{
  "detail-type": ["idn:identity-attributes changed"]
}

Alternately you could also apply policy by things in the details section, you’d just need to traverse the nesting just the like example on the AWS document.

Thanks for your response @neil_mcglennon. AWS is apparently forcing me to use some kind of event pattern mattching. Here you can see I’m creating a rule on the aws.partner/sailpoint.com event bus.

The next page is “Build event pattern”, and now I have selected “All events”. Previously I had selected “Other”, because I thought the event from SailPoint was a partner event. In any case, with “All events” selected, AWS has filled in the following event pattern, which happens to contain my AWS account number:

{
  "account": ["598383863871"]
}

The AWS console has no facility for me to edit or delete this event pattern. Is my AWS account number going to be in the event coming from the trigger subscription? My guess is that it’s not, as still no events are coming into my targets (a CloudWatch log group and a Lambda function). Am I missing something?

Mysteriously, a second partner event source showed up in EventBridge today, and no new event trigger subscription was created in IdentityNow. The only apparent difference is the cryptic thing that looks like an ID in the name. The second partner event source is receiving the events, but the first one is not. How is one supposed to know which source has the goods, except by trial and error?