You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Incorrect IAM policies are being generated under certain conditions which triggered an error when running the start-execution command for the AWS StepFunctions service. The issues that need to be addressed are:
The ARN is incorrectly generated when the name property is not specified for the state machine.
Details
the ID of the state machine (stateMachineId) is being used instead of the name property. This can be seen here. However, when name is not specified, AWS CloudFormation generates a name for the state machine automatically. Hence, the mapping function { "Fn::GetAtt": ["${stateMachineId}", "Name"] } should be used instead of stateMachineId.
What did you expect should have happened?
The IAM policy should grant the correct permissions for State Machine execution even when the name property isn't specified.
What error message from your provider did you see?
The following error was received when executing the aws stepfunctions start-execution command:
"cause": "Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/issue1-dev-Issue1StepFunctionsStateMachineRole-CDE9KTMBFV9C/UdtRefqtkMikXPXBEnIuhZhKoNZaDIEP is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 7bdf772f-a7d6-4428-814a-cf90fabdfd09)"
Additional Data
Serverless Framework Core Version you're using: 3.34.0
The Plugin Version you're using: 3.14.0
Operating System: macOS 13.4.1 (ARM64)
Provider Error messages: Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/issue1-dev-Issue1StepFunctionsStateMachineRole-CDE9KTMBFV9C/UdtRefqtkMikXPXBEnIuhZhKoNZaDIEP is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 7bdf772f-a7d6-4428-814a-cf90fabdfd09)
This is a Bug Report
Description
What went wrong?
Incorrect IAM policies are being generated under certain conditions which triggered an error when running the
start-execution
command for the AWS StepFunctions service. The issues that need to be addressed are:name
property is not specified for the state machine.Details
the ID of the state machine (
stateMachineId
) is being used instead of thename
property. This can be seen here. However, whenname
is not specified, AWS CloudFormation generates a name for the state machine automatically. Hence, the mapping function{ "Fn::GetAtt": ["${stateMachineId}", "Name"] }
should be used instead ofstateMachineId
.What did you expect should have happened?
The IAM policy should grant the correct permissions for State Machine execution even when the name property isn't specified.
What was the config you used?
serverless.yaml
What error message from your provider did you see?
The following error was received when executing the
aws stepfunctions start-execution
command:Additional Data
Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/issue1-dev-Issue1StepFunctionsStateMachineRole-CDE9KTMBFV9C/UdtRefqtkMikXPXBEnIuhZhKoNZaDIEP is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 7bdf772f-a7d6-4428-814a-cf90fabdfd09)
Logs
The text was updated successfully, but these errors were encountered: