Reputation: 614
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateStateMachine operation
I am getting the following error when I try to create a state machine based on my state machine definition:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateStateMachine operation: 'role' is not authorized to create managed-rule.
The creation code:
state_machine = sfn_client.create_state_machine(
name = 'state-machine',
definition = state_machine_def,
roleArn = SFN_ROLE,
)
My IAM role that I use contains all necessary permissions as described here. What kind of managed-rule does it need to have a permission to create?
Upvotes: 6
Views: 33417
Answers (3)
Reputation: 68715
Most likely you have missed adding the right policy to the IAM role. Here is a policy from the official documentation that allows you to create, list state machines.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:ListStateMachines",
"states:ListActivities",
"states:CreateStateMachine",
"states:CreateActivity"
],
"Resource": [
"arn:aws:states:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam:::role/my-execution-role"
]
}
]
}
Upvotes: 1
Reputation: 339
The issue is this
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]:[[accountId]]:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
]
}
According to AWS Step Function nested workflow Execution, you need to add the specific rule for the step function role to listen and create events StepFunctionsGetEventsForStepFunctionsExecutionRule is the rule you are looking for
Upvotes: 5
Reputation: 614
The reason was that CloudWatchFullAccess policy attached to the SFN_ROLE has not enough permissions for Step Functions workflow to post events into CloudWatch. Once I replaced it with CloudWatchEventsFullAccess everything works ok.
Upvotes: 8
Related Questions
- Boto3 exception NoCredentialsError
- botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation
- botocore.exceptions.ClientError: An error occurred (ExpiredTokenException) The security token included in the request is expired
- botocore.utils [DEBUG] Caught retryable HTTP exception while making metadata service request, could not connect to the endpoint URL
- botocore.exceptions.ClientError: An error occurred (AccessDeniedException)
- How to solve botocore.exceptions.NoCredentialsError: Unable to locate credentials
- Boto3 Error in AWS SDK: botocore.exceptions.NoCredentialsError: Unable to locate credentials
- boto3 issue checking ec2 instance state
- Permission error when using Boto3, but works via aws cli
- botocore.exceptions.EndpointConnectionError: Could not connect to the endpoint