Nested Step Function in a Step Function: Unknown Error: "...not authorized to create managed-rule"

[Updated 5/22/2020 based on the post from @Matt and the comment from @Joe.CK to reduce the scope to the specific Resource required.]

This Stack Overflow question pointed me in the right direction. botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateStateMachine operation

The issue appears to be stemming from CloudWatch and I was able to get past it by adding the following statement to my IAM policy.

- Effect: Allow
  Action:
  - events:PutTargets
  - events:PutRule
  - events:DescribeRule
  Resource: 
  - !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule

The AWS Step Functions sample project "Start a workflow within a workflow" includes something similar but restricted to a single Lambda function it invokes.


Adding the full Role definition that solved the problem combining what Andrew provided and what was in the documentation. It's in four parts:

  1. Allow the Child Step Function to run via states:StartExecution
  2. Allow the Parent to Describe and Stop any Step Functions. (I'd presume that this may be able to be more closely tailored, with the resource; however, this is a copy and paste from AWS' documentation.)
  3. Allow the Parent to create/modify (Put) a rule into Cloud Watch (a specific system generated/managed resource) so that it can hold until execution is complete (because of the synchronous execution).
  4. Allow the Parent to run all the applicable Lambda functions in the Step Function. (This isn't really part of the problem I had, but related to the Step Function over all. This could also include other integrations—ex. SNS—if you have them.)
  ParentStepFunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - !Sub states.${AWS::Region}.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        -
          PolicyName: ParentStepFunctionExecutionPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              -
                Effect: Allow
                Action: states:StartExecution
                Resource: !Ref ChildStepFunction
              -
                Effect: Allow
                Action:
                  - states:DescribeExecution
                  - states:StopExecution
                Resource: "*"
              -
                Effect: Allow
                Action:
                  - events:PutTargets
                  - events:PutRule
                  - events:DescribeRule
                Resource: !Sub arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule
              -
                Effect: Allow
                Action: lambda:InvokeFunction
                Resource:
                  - !GetAtt Function1.Arn
                  ...
                  - !GetAtt FunctionX.Arn

Tags:

Amazon Web Services

Amazon Iam

Amazon Cloudformation

Aws Step Functions

Aws Sam

Recent Posts