Setting up Amazon EventBridge Scheduler

Before you can use EventBridge Scheduler, you must complete the following steps.

Topics

Sign up for Amazon
Create an IAM user
Use managed policies
Set up the execution role
Set up a target
What's next?

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services

Open http://www.amazonaws.cn/ and choose Sign Up.
Follow the on-screen instructions.

Create an IAM user

Secure IAM users

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the IAM User Guide:

Use managed policies

In the previous step, you set up an IAM user with the credentials to access your Amazon resources. In most cases, to use EventBridge Scheduler securely, we recommend that you create separate users, groups, or roles with only the necessary permissions to use EventBridge Scheduler. EventBridge Scheduler supports the following managed policies for common use cases.

AmazonEventBridgeSchedulerFullAccess – Grants full access to EventBridge Scheduler using the console and the API.
AmazonEventBridgeSchedulerReadOnlyAccess – Grants read-only access to EventBridge Scheduler.

You can attach these managed policies to your IAM principals the same way you attached the AdministratorAccess policy in the previous step. For more information about managing access to EventBridge Scheduler using identity-based IAM policies, see Using identity-based policies in EventBridge Scheduler.

Set up the execution role

An execution role is an IAM role that EventBridge Scheduler assumes in order to interact with other Amazon Web Services services on your behalf. You attach permission policies to this role to grant EventBridge Scheduler access to invoke targets.

You can also create a new execution role when you use the console to create a new schedule. If you use the console, EventBridge Scheduler creates a role on your behalf with permissions based on the target you choose. When EventBridge Scheduler creates a role for you, the role's trust policy includes condition keys that limit which principals can assume the role on your behalf. This guards against the potential confused deputy security issue.

The following steps describe how to create a new execution role and how to grant EventBridge Scheduler access to invoke a target. This topic describes permissions for popular templated targets. For information on adding permissions for other targets, see Using templated targets in EventBridge Scheduler.

To create an execution role using the Amazon CLI

Copy the following assume role JSON policy and save it locally as Scheduler-Execution-Role.json. This trust policy allows EventBridge Scheduler to assume the role on your behalf.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "scheduler.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```
Important
To set up an execution role in a production environment, we recommend implementing additional safeguards for preventing confused deputy issues. For more information and an example policy, see Confused deputy prevention in EventBridge Scheduler.

From the Amazon Command Line Interface (Amazon CLI), enter the following command to create a new role. Replace SchedulerExecutionRole with the name you want to give this role.


$ aws iam create-role --role-name SchedulerExecutionRole --assume-role-policy-document file://Scheduler-Execution-Role.json

If successful, you'll see the following output:

{
    "Role": {
        "Path": "/",
        "RoleName": "Scheduler-Execution-Role",
        "RoleId": "BR1L2DZK3K4CTL5ZF9EIL",
        "Arn": "arn:aws:iam::123456789012:role/SchedulerExecutionRole",
        "CreateDate": "2022-03-10T18:45:01+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "scheduler.amazonaws.com"
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        }
    }
}

To create a new policy that allows EventBridge Scheduler to invoke a target, choose one of the following common targets. Copy the JSON permission policy and save it locally as a .json file.

Run the following command to create the new permission policy. Replace PolicyName with the name you want to give this policy.


$ aws iam create-policy --policy-name PolicyName --policy-document file://PermissionPolicy.json

If successful, you'll see the following output. Note the policy ARN. You use this ARN in the next step to attach the policy to our execution role.

{
    "Policy": {
        "PolicyName": "PolicyName",
        "CreateDate": "2022-03-015T19:31:18.620Z",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "PolicyId": "ZXR6A36LTYANPAI7NJ5UV",
        "DefaultVersionId": "v1",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:policy/PolicyName",
        "UpdateDate": "2022-03-015T19:31:18.620Z"
    }
}

Run the following command to attach the policy to your execution role. Replace your-policy-arn with the ARN of the policy you created in the previous step. Replace SchedulerExecutionRole with the name of your execution role.
```
$ aws iam attach-role-policy --policy-arn your-policy-arn --role-name SchedulerExecutionRole
```
The attach-role-policy operation doesn't return a response on the command line.

Set up a target

Before you create an EventBridge Scheduler schedule, you need at least one target for your schedule to invoke. You can use an existing Amazon resource, or create a new one. The following steps show how to create a new standard Amazon SQS queue with Amazon CloudFormation.

To create a new Amazon SQS queue

Copy the following JSON Amazon CloudFormation template and save it locally as SchedulerTargetSQS.json.


{
   "AWSTemplateFormatVersion": "2010-09-09",
   "Resources": {
      "MyQueue": {
         "Type": "AWS::SQS::Queue",
         "Properties": {
            "QueueName": "MyQueue"
             }
         }
      },
   "Outputs": {
      "QueueName": {
         "Description": "The name of the queue",
         "Value": {
            "Fn::GetAtt": [
               "MyQueue",
               "QueueName"
            ]
         }
      },
      "QueueURL": {
         "Description": "The URL of the queue",
         "Value": {
            "Ref": "MyQueue"
         }
      },
      "QueueARN": {
         "Description": "The ARN of the queue",
         "Value": {
            "Fn::GetAtt": [
               "MyQueue",
               "Arn"
            ]
         }
      }
   }
}

From the Amazon CLI, run the following command to create an Amazon CloudFormation stack from the Scheduler-Target-SQS.json template.


$ aws cloudformation create-stack --stack-name Scheduler-Target-SQS --template-body file://Scheduler-Target-SQS.json

If successful, you'll see the following output:

{
    "StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/Scheduler-Target-SQS/1d2af345-a121-12eb-abc1-012e34567890"
}

Run the following command to view summary information for your Amazon CloudFormation stack. This information includes the status of the stack and the outputs specified in the template.


$ aws cloudformation describe-stacks --stack-name Scheduler-Target-SQS

If successful, the command creates the Amazon SQS queue and returns the following output:

{
    "Stacks": [
        {
            "StackId": "arn:aws:cloudformation:us-west-2:123456789012:stack/Scheduler-Target-SQS/1d2af345-a121-12eb-abc1-012e34567890",
            "StackName": "Scheduler-Target-SQS",
            "CreationTime": "2022-03-17T16:21:29.442000+00:00",
            "RollbackConfiguration": {},
            "StackStatus": "CREATE_COMPLETE",
            "DisableRollback": false,
            "NotificationARNs": [],
            "Outputs": [
                {
                    "OutputKey": "QueueName",
                    "OutputValue": "MyQueue",
                    "Description": "The name of the queue"
                },
                {
                    "OutputKey": "QueueARN",
                    "OutputValue": "arn:aws:sqs:us-west-2:123456789012:MyQueue",
                    "Description": "The ARN of the queue"
                },
                {
                    "OutputKey": "QueueURL",
                    "OutputValue": "https://sqs.us-west-2.amazonaws.com/123456789012/MyQueue",
                    "Description": "The URL of the queue"
                }
            ],
            "Tags": [],
            "EnableTerminationProtection": false,
            "DriftInformation": {
                "StackDriftStatus": "NOT_CHECKED"
            }
        }
    ]
}

Later in this guide, you'll use the value for QueueARN to set up the queue as a target for EventBridge Scheduler.

What's next?

After you've completed the set up step, use the Getting started guide to create your first EventBridge Scheduler scheduler and invoke a target.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

What is EventBridge Scheduler?

Getting started