amazon-web-servicesaws-cloudformationaws-step-functions

StepFunction assume role unable to execute the StepFunction

I have a StepFunction that has a map state, that just has a lambda in it that executes through the entries of a JSON in a S3.

However, when the execution gets to this state I get the following error

Error contacting AWS Service. | Message from Service: User: arn:aws:sts::REDACTED:assumed-role/REDACTED-LAMBDA_NAME-StepFunctionRole-Z0smWdZYLhdn/REDACTED is not authorized to perform: states:StartExecution on resource: arn:aws:states:REDACTED:REDACTED:stateMachine:StepFunction-51pYN5XgrJmy because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: REDACTED) (SDK Attempt Count: 1)

I have redacted parts that are sensitive.

This role is generated implicitly through SAM/CFN with the following setup:

  StepFunction:
    Type: AWS::Serverless::StateMachine
    Properties:
      Policies:
        - LambdaInvokePolicy:
            FunctionName: !Ref REDACTED
        - LambdaInvokePolicy:
            FunctionName: !Ref REDACTED
        - LambdaInvokePolicy:
            FunctionName: !Ref REDACTED
        - LambdaInvokePolicy:
            FunctionName: !Ref REDACTED
        - LambdaInvokePolicy:
            FunctionName: !Ref REDACTED
        - LambdaInvokePolicy:
            FunctionName: !Ref REDACTED
        - LambdaInvokePolicy:
            FunctionName: !Ref REDACTED
        - LambdaInvokePolicy:
            FunctionName: !Ref REDACTED
        - S3FullAccessPolicy:
            BucketName: !Ref REDACTED
        - Statement:
            - Effect: Allow
              Action:
                - "logs:CreateLogDelivery"
                - "logs:GetLogDelivery"StocksTransactionBucket
                - "logs:UpdateLogDelivery"
                - "logs:DeleteLogDelivery"
                - "logs:ListLogDeliveries"
                - "logs:PutLogEvents"StocksTransactionBucket
                - "logs:PutResourcePolicy"
                - "logs:DescribeResourcePolicies"
                - "logs:DescribeLogGroups"
              Resource: "*"

Confused how this role that is generated for the StepFunction is getting this error.

I am running the step function through the UI/console for testing. The first state of the step function, which is a lambda call, works correctly and returns what I'd expect. I then get the aforementioned error above.

I then tried adding this section into the implicit role to see if it'd fix it.

        - StepFunctionsExecutionPolicy:
            StateMachineName: !GetAtt StepFunction.Name

This then gives me the following circular dependency error when calling sam deploy:

For expression "Status" we matched expected path: "FAILED" Status: FAILED. Reason: Circular dependency between resources: [StepFunctionRole, StepFunction].

I then manually added this permission to the role in the console, and the execution worked.

Is there a way I can do this programmatically with SAM/CFN?

Solution

  • I think the problem is that you are trying to give states:StartExecution permission to the state machine but when SAM tries to resolve the state machine arn, it points to itself, but the arn doesn't exist yet.

    You can try a fixed approach if you know the state machine name, something like:

    action: "states:StartExecution"
    resource: "arn:aws:states:<region>:<account>:stateMachine:<state-machine-name>"

    Instead of using the !GetAtt