Problem
When running terraform plan or terraform apply to configure an AWS CloudWatch log subscription filter, the operation fails with an AccessDeniedException.
The following error message appears in the output:
Error: Error creating Cloudwatch log subscription filter: AccessDeniedException: Cross-account role passing is not allowed. status code: 400, request id: XXXXXXXXXXXXX
Cause
This error occurs because the IAM role used by Terraform lacks the necessary permissions to manage EventBridge rules across different AWS accounts. AWS requires explicit permission to be granted before a role in one account can pass events to another, which is not configured by default.
Solution
To resolve this error, you must explicitly grant cross-account permissions using the aws_cloudwatch_event_permission resource. This resource allows you to create an EventBridge permission that authorizes another AWS account to manage events in the current account's default event bus.
Procedure
-
Add an
aws_cloudwatch_event_permissionresource to your Terraform configuration. This resource defines the permission for the target account.The following example grants an AWS account with the ID
123456789012permission to perform theevents:PutEventsaction.resource "aws_cloudwatch_event_bus" "default" { name = "default" } resource "aws_cloudwatch_event_permission" "cross_account_permission" { principal = "123456789012" statement_id = "AllowAccountToPutEvents" action = "events:PutEvents" event_bus_name = aws_cloudwatch_event_bus.default.name } - After adding the resource, run
terraform applyto create the permission in AWS. - As a final verification, confirm that your cross-account setup aligns with the guidelines provided by AWS for cross-account and cross-region functionality.
Additional Information
- For more details on the resource, refer to the Terraform AWS Provider documentation for
aws_cloudwatch_event_permission. - For more information on the AWS feature, see the AWS guide on Cross-Account Cross-Region CloudWatch Console.