serverless-step-functions
serverless-step-functions copied to clipboard
Published
20 hours ago •
serverless-operations
serverless-operations
Incorrect IAM Policy for serverless step functions in distributed mode without name specified
This is a Bug Report
Description
-
What went wrong?
Incorrect IAM policies are being generated under certain conditions which triggered an error when running the
start-executioncommand for the AWS StepFunctions service. The issues that need to be addressed are:- The ARN is incorrectly generated when the
nameproperty is not specified for the state machine.
Details
the ID of the state machine (
stateMachineId) is being used instead of thenameproperty. This can be seen here. However, whennameis not specified, AWS CloudFormation generates a name for the state machine automatically. Hence, the mapping function{ "Fn::GetAtt": ["${stateMachineId}", "Name"] }should be used instead ofstateMachineId. - The ARN is incorrectly generated when the
-
What did you expect should have happened?
The IAM policy should grant the correct permissions for State Machine execution even when the name property isn't specified.
-
What was the config you used?
serverless.yamlservice: issue1 provider: name: aws region: us-east-2 plugins: - serverless-step-functions stepFunctions: stateMachines: issue1: definition: StartAt: GenList States: GenList: Type: Pass Next: Map Result: - 1 - 2 - 3 Map: Type: Map ItemProcessor: ProcessorConfig: Mode: DISTRIBUTED ExecutionType: STANDARD StartAt: Pass States: Pass: Type: Pass End: true End: true MaxConcurrency: 1000 -
What error message from your provider did you see?
The following error was received when executing the
aws stepfunctions start-executioncommand:"cause": "Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/issue1-dev-Issue1StepFunctionsStateMachineRole-CDE9KTMBFV9C/UdtRefqtkMikXPXBEnIuhZhKoNZaDIEP is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 7bdf772f-a7d6-4428-814a-cf90fabdfd09)"
Additional Data
- Serverless Framework Core Version you're using: 3.34.0
- The Plugin Version you're using: 3.14.0
- Operating System: macOS 13.4.1 (ARM64)
- Provider Error messages:
Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/issue1-dev-Issue1StepFunctionsStateMachineRole-CDE9KTMBFV9C/UdtRefqtkMikXPXBEnIuhZhKoNZaDIEP is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 7bdf772f-a7d6-4428-814a-cf90fabdfd09)
Logs
$ npx serverless deploy
$ npx serverless info --verbose
service: issue1
stage: dev
region: us-east-2
stack: issue1-dev
Stack Outputs:
Issue1StepFunctionsStateMachineArn: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2
ServerlessDeploymentBucketName: issue1-dev-serverlessdeploymentbucket-xoeed6cmgwo4
$ aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2
{
"executionArn": "arn:aws:states:us-east-2:123456789012:execution:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2:a2856cff-5377-4ed6-95be-5d0ef0b8b3c0",
"startDate": "2023-08-22T17:52:19.712000+09:00"
}
$ aws stepfunctions describe-execution --execution-arn "arn:aws:states:us-east-2:123456789012:execution:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2:a2856cff-5377-4ed6-95be-5d0ef0b8b3c0"
{
"executionArn": "arn:aws:states:us-east-2:123456789012:execution:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2:a2856cff-5377-4ed6-95be-5d0ef0b8b3c0",
"stateMachineArn": "arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2",
"name": "a2856cff-5377-4ed6-95be-5d0ef0b8b3c0",
"status": "FAILED",
"startDate": "2023-08-22T17:52:19.712000+09:00",
"stopDate": "2023-08-22T17:52:27.256000+09:00",
"input": "{}",
"inputDetails": {
"included": true
},
"error": "States.Runtime",
"cause": "Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/issue1-dev-Issue1StepFunctionsStateMachineRole-CDE9KTMBFV9C/UdtRefqtkMikXPXBEnIuhZhKoNZaDIEP is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 7bdf772f-a7d6-4428-814a-cf90fabdfd09)"
}
$ vim serverless.yml # set name: issue2
$ npx serverless deploy
$ npx serverless info --verbose
service: issue1
stage: dev
region: us-east-2
stack: issue1-dev
Stack Outputs:
Issue2Arn: arn:aws:states:us-east-2:123456789012:stateMachine:issue2
ServerlessDeploymentBucketName: issue1-dev-serverlessdeploymentbucket-xoeed6cmgwo4
$ aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-2:123456789012:stateMachine:issue2
{
"executionArn": "arn:aws:states:us-east-2:123456789012:execution:issue2:3ac713e0-babb-44d8-b9c2-2466d0b3ee7b",
"startDate": "2023-08-22T17:54:18.705000+09:00"
}
$ aws stepfunctions describe-execution --execution-arn "arn:aws:states:us-east-2:123456789012:execution:issue2:3ac713e0-babb-44d8-b9c2-2466d0b3ee7b"
{
"executionArn": "arn:aws:states:us-east-2:123456789012:execution:issue2:3ac713e0-babb-44d8-b9c2-2466d0b3ee7b",
"stateMachineArn": "arn:aws:states:us-east-2:123456789012:stateMachine:issue2",
"name": "3ac713e0-babb-44d8-b9c2-2466d0b3ee7b",
"status": "SUCCEEDED",
"startDate": "2023-08-22T17:54:18.705000+09:00",
"stopDate": "2023-08-22T17:54:21.507000+09:00",
"input": "{}",
"inputDetails": {
"included": true
},
"output": "[1,2,3]",
"outputDetails": {
"included": true
}
}
