I am following the AWS Step Functions tutorial. The whole state machine process is like this.
I have a role called step_functions_basic_execution with policy AWSLambdaRole
. My Step function state machine is using this role.
My step function is
{
"Comment": "A simple AWS Step Functions state machine that automates a call center support session.",
"StartAt": "Open Case",
"States": {
"Open Case": {
"Type": "Task",
"Resource": "arn:aws:lambda:us-west-2:829495130000:function:OpenCaseFunction",
"Next": "Assign Case"
},
...
}
The corresponding Open Case Lambda function is
exports.handler = (event, context, callback) => {
// Create a support case using the input as the case ID, then return a confirmation message
var myCaseID = event.inputCaseID;
var myMessage = "Case " + myCaseID + ": opened...";
var result = {Case: myCaseID, Message: myMessage};
callback(null, result);
};
When I tried to run it, it failed at first step Open Case.
The input is
{
"inputCaseID": "001"
}
It throws error:
States.TaskFailed
Neither the global service principal states.amazonaws.com, nor the regional one is authorized to assume the provided role.
Any idea how to fix it? Thanks
To allow users to assume the current role again within a role session, specify the role ARN or AWS account ARN as a principal in the role trust policy.
Assuming a role involves using a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token.
AWS AssumeRole allows you to grant temporary credentials with additional privileges to users as needed, following the principle of least privilege. To configure AssumeRole access, you must define an IAM role that specifies the privileges that it grants and which entities can assume it.
Users in the same account as the role do not need explicit permission to assume the role. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide. Of course, once you have created a role that you are capable of assuming, you need to actually "Assume" that role.
Thanks Joel Kinzel's guide. It was my mistake.
I did wrong at Step 2c.
On the Create Roles screen, leave AWS Service selected, select Step Functions
I chose Lambda instead of Step Functions, even next page is I still added AWSLambdaRole
, but it does not help and cause the issue.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With