Incorrect IAM policies are being generated under certain conditions which triggered an error when running the start-execution command for the AWS StepFunctions service. The issues that need to be addressed are:
The ARN is incorrectly generated when the name property is not specified for the state machine.
Details
the ID of the state machine (`stateMachineId`) is being used instead of the `name` property. This can be seen [here](https://github.com/serverless-operations/serverless-step-functions/blob/28fa07b254bd2f6fef934fe940911dd36fa77615/lib/deploy/stepFunctions/compileIamRole.js#L654). However, when `name` is not specified, AWS CloudFormation generates a name for the state machine automatically. Hence, the mapping function `{ "Fn::GetAtt": ["${stateMachineId}", "Name"] }` should be used instead of `stateMachineId`.
What did you expect should have happened?
The IAM policy should grant the correct permissions for State Machine execution even when the name property isn't specified.
What error message from your provider did you see?
The following error was received when executing the aws stepfunctions start-execution command:
"cause": "Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/issue1-dev-Issue1StepFunctionsStateMachineRole-CDE9KTMBFV9C/UdtRefqtkMikXPXBEnIuhZhKoNZaDIEP is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 7bdf772f-a7d6-4428-814a-cf90fabdfd09)"
Additional Data
Serverless Framework Core Version you're using: 3.34.0
The Plugin Version you're using: 3.14.0
Operating System: macOS 13.4.1 (ARM64)
Provider Error messages: Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/issue1-dev-Issue1StepFunctionsStateMachineRole-CDE9KTMBFV9C/UdtRefqtkMikXPXBEnIuhZhKoNZaDIEP is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 7bdf772f-a7d6-4428-814a-cf90fabdfd09)
This is a Bug Report
Description
What went wrong?
Incorrect IAM policies are being generated under certain conditions which triggered an error when running the
start-executioncommand for the AWS StepFunctions service. The issues that need to be addressed are:nameproperty is not specified for the state machine.Details
the ID of the state machine (`stateMachineId`) is being used instead of the `name` property. This can be seen [here](https://github.com/serverless-operations/serverless-step-functions/blob/28fa07b254bd2f6fef934fe940911dd36fa77615/lib/deploy/stepFunctions/compileIamRole.js#L654). However, when `name` is not specified, AWS CloudFormation generates a name for the state machine automatically. Hence, the mapping function `{ "Fn::GetAtt": ["${stateMachineId}", "Name"] }` should be used instead of `stateMachineId`.What did you expect should have happened?
The IAM policy should grant the correct permissions for State Machine execution even when the name property isn't specified.
What was the config you used?
serverless.yamlWhat error message from your provider did you see?
The following error was received when executing the
aws stepfunctions start-executioncommand:Additional Data
Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/issue1-dev-Issue1StepFunctionsStateMachineRole-CDE9KTMBFV9C/UdtRefqtkMikXPXBEnIuhZhKoNZaDIEP is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 7bdf772f-a7d6-4428-814a-cf90fabdfd09)Logs
```shell $ npx serverless deploy $ npx serverless info --verbose service: issue1 stage: dev region: us-east-2 stack: issue1-dev Stack Outputs: Issue1StepFunctionsStateMachineArn: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 ServerlessDeploymentBucketName: issue1-dev-serverlessdeploymentbucket-xoeed6cmgwo4 $ aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 { "executionArn": "arn:aws:states:us-east-2:123456789012:execution:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2:a2856cff-5377-4ed6-95be-5d0ef0b8b3c0", "startDate": "2023-08-22T17:52:19.712000+09:00" } $ aws stepfunctions describe-execution --execution-arn "arn:aws:states:us-east-2:123456789012:execution:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2:a2856cff-5377-4ed6-95be-5d0ef0b8b3c0" { "executionArn": "arn:aws:states:us-east-2:123456789012:execution:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2:a2856cff-5377-4ed6-95be-5d0ef0b8b3c0", "stateMachineArn": "arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2", "name": "a2856cff-5377-4ed6-95be-5d0ef0b8b3c0", "status": "FAILED", "startDate": "2023-08-22T17:52:19.712000+09:00", "stopDate": "2023-08-22T17:52:27.256000+09:00", "input": "{}", "inputDetails": { "included": true }, "error": "States.Runtime", "cause": "Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/issue1-dev-Issue1StepFunctionsStateMachineRole-CDE9KTMBFV9C/UdtRefqtkMikXPXBEnIuhZhKoNZaDIEP is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 7bdf772f-a7d6-4428-814a-cf90fabdfd09)" } $ vim serverless.yml # set name: issue2 $ npx serverless deploy $ npx serverless info --verbose service: issue1 stage: dev region: us-east-2 stack: issue1-dev Stack Outputs: Issue2Arn: arn:aws:states:us-east-2:123456789012:stateMachine:issue2 ServerlessDeploymentBucketName: issue1-dev-serverlessdeploymentbucket-xoeed6cmgwo4 $ aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-2:123456789012:stateMachine:issue2 { "executionArn": "arn:aws:states:us-east-2:123456789012:execution:issue2:3ac713e0-babb-44d8-b9c2-2466d0b3ee7b", "startDate": "2023-08-22T17:54:18.705000+09:00" } $ aws stepfunctions describe-execution --execution-arn "arn:aws:states:us-east-2:123456789012:execution:issue2:3ac713e0-babb-44d8-b9c2-2466d0b3ee7b" { "executionArn": "arn:aws:states:us-east-2:123456789012:execution:issue2:3ac713e0-babb-44d8-b9c2-2466d0b3ee7b", "stateMachineArn": "arn:aws:states:us-east-2:123456789012:stateMachine:issue2", "name": "3ac713e0-babb-44d8-b9c2-2466d0b3ee7b", "status": "SUCCEEDED", "startDate": "2023-08-22T17:54:18.705000+09:00", "stopDate": "2023-08-22T17:54:21.507000+09:00", "input": "{}", "inputDetails": { "included": true }, "output": "[1,2,3]", "outputDetails": { "included": true } } ```