Open akerra6993 opened 7 months ago
Thank you. Can you share the full error messages?
Error contacting AWS Service. | Message from Service: User: arn:aws:sts::{my account id}:assumed-role/{the state machine default role} is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-west-2:{my account id}:stateMachine:{state machine id} because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 5891e970-2bf1-4e15-9b06-f6f631b010b5)
This should work in the meantime:
const policy = new Policy(this, 'sfn-map-policy', {
document: new PolicyDocument({
statements: [new PolicyStatement({ resources: [machine.stateMachineArn], actions: ['states:StartExecution'] })],
}),
})
policy.attachToRole(machine.role)
The new Distributed Map construct should also work - #28821
I have this issue and am using a DistributedMap
state
I attempted this:
self.state_machine.add_to_role_policy(
iam.PolicyStatement(
actions=["states:StartExecution"],
resources=[self.state_machine.state_machine_arn],
),
)
But I get FAILED, Circular dependency between resources: [StateMachineB23A416F, StateMachineRoleDefaultPolicyD3EF01D8]
...but the form given by @rogerchi does work instead
policy = iam.Policy(
self,
"sfn-map-policy",
document=iam.PolicyDocument(
statements=[
iam.PolicyStatement(
resources=[self.state_machine.state_machine_arn],
actions=["states:StartExecution"],
),
iam.PolicyStatement(
resources=[
f"arn:aws:states:*:{Aws.ACCOUNT_ID}:execution:{self.state_machine.state_machine_name}/*"
],
actions=["states:RedriveExecution"],
),
],
),
)
policy.attach_to_role(self.state_machine.role)
I had to add another missing permission, to allow re-driving failed distributed map run. Maybe there are other missing perms that I haven't run into yet.
Anyway, the point is that DistributedMap
state has not set up the permissions like it ought to
Relevant docs: https://docs.aws.amazon.com/step-functions/latest/dg/iam-policies-eg-dist-map.html
Seems like at a minimum, you want:
states:StartExecution
on the state machine ARNstates:StopExecution
and states:DescribeExecution
on execution ARNs (i.e., ${stateMachineArn}:*
)states:RedriveExecution
on labeled execution ARNs (i.e., ${stateMachineArn}/*:*
)Also, if you have a resultWriter S3 bucket, you'll need all the various permissions mentioned in the doc above for the bucket.
I see that the PR that added the DistributedMap
construct did seem to set permissions other than RedriveExecution
in the bind method of the state graph packages/aws-cdk-lib/aws-stepfunctions/lib/state-graph.ts
:
/**
* Binds this StateGraph to the StateMachine it defines and updates state machine permissions
*/
public bind(stateMachine: StateMachine) {
for (const state of this.allStates) {
if (DistributedMap.isDistributedMap(state)) {
stateMachine.role.attachInlinePolicy(new iam.Policy(stateMachine, 'DistributedMapPolicy', {
document: new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
actions: ['states:StartExecution'],
resources: [stateMachine.stateMachineArn],
}),
new iam.PolicyStatement({
actions: ['states:DescribeExecution', 'states:StopExecution'],
resources: [`${stateMachine.stateMachineArn}:*`],
}),
],
}),
}));
break;
}
}
}
But I'm still hitting errors like the following at runtime:
Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/ExampleStateMachineRole-w9L0WPmFgXQU/KFFycMGpPUoVXQJNEKPZfzjTqKAbOZlA is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Example because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: efa7d0da-0d5f-4359-bd3c-844ede092da5)
I have no resultWriter
or itemReader
in my state task here. Would that maybe affect things?
cc @abdelnn
Describe the bug
Deploying a map state in a state machine using distributed processing mode (and standard execution type for the child executions) causes an IAM permissions issue since the parent state machine role doesn't have permission to start executions on itself. Trying to grant permissions via
stateMachine.grantStartExecution(stateMachine)
causes a circular dependency.Expected Behavior
When using distributed processing mode, necessary permissions should be generated by default.
Current Behavior
Start execution permission for the child executions is not granted to the parent state machine.
Reproduction Steps
Possible Solution
Automatically add the necessary IAM policy to the parent state machine's default role
Additional Information/Context
No response
CDK CLI Version
2.122.0 (build 7e77e02)
Framework Version
No response
Node.js Version
v18.16.1
OS
MacOS Sonoma 14.0 (M2 Pro)
Language
TypeScript
Language Version
No response
Other information
technically I am using vanilla JS CDK language but that's not an option in the language dropdown.