6

I am getting the following error when I try to create a state machine based on my state machine definition:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateStateMachine operation: 'role' is not authorized to create managed-rule.

The creation code:

state_machine = sfn_client.create_state_machine(
    name = 'state-machine',
    definition = state_machine_def,
    roleArn = SFN_ROLE,
)

My IAM role that I use contains all necessary permissions as described here. What kind of managed-rule does it need to have a permission to create?

Alex Barysevich
  • 544
  • 1
  • 7
  • 18
  • So have you applied a policy to the role? Can you share the IAM policy attached to the role? – Juned Ahsan Sep 19 '19 at 00:43
  • I have the following policies attached to the role: AWSLambdaRole CloudWatchFullAccess + Custom policies that allow full AWS batch/ ECR access as well as pass the role – Alex Barysevich Sep 19 '19 at 00:47

3 Answers3

6

The reason was that CloudWatchFullAccess policy attached to the SFN_ROLE has not enough permissions for Step Functions workflow to post events into CloudWatch. Once I replaced it with CloudWatchEventsFullAccess everything works ok.

Alex Barysevich
  • 544
  • 1
  • 7
  • 18
  • It looks like CloudWatchEventsFullAccess gives the CFN_ROLE full access to CWE "Action": "events:*", "Resource": "*". Were you able to narrow down the exact permissions required? – kylevoyto Apr 03 '20 at 14:38
5

The issue is this

{
        "Effect": "Allow",
        "Action": [
            "events:PutTargets",
            "events:PutRule",
            "events:DescribeRule"
        ],
        "Resource": [
           "arn:aws:events:[[region]]:[[accountId]]:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
        ]
    }

According to AWS Step Function nested workflow Execution, you need to add the specific rule for the step function role to listen and create events StepFunctionsGetEventsForStepFunctionsExecutionRule is the rule you are looking for

Joe.CK
  • 339
  • 3
  • 2
1

Most likely you have missed adding the right policy to the IAM role. Here is a policy from the official documentation that allows you to create, list state machines.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:ListStateMachines",
        "states:ListActivities",
        "states:CreateStateMachine",
        "states:CreateActivity"
      ],
      "Resource": [ 
        "arn:aws:states:*:*:*" 
      ]
    },
    {
      "Effect": "Allow",
      "Action": [ 
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam:::role/my-execution-role"
      ]
    }
  ]
Juned Ahsan
  • 67,789
  • 12
  • 98
  • 136