Reputation: 4476
AWS StepFunction with Invoke Child Workflow state using cloud formation giving in
I'm trying to create a state machine that can invoke another state machine. I tried to use following approach to get ARN. However this returns error Arn is not a valid property, which stack is being created.
ParentStateMachine:
Type: "AWS::StepFunctions::StateMachine"
Properties:
StateMachineName: !Sub "ParentStateMachine"
DefinitionString:
Fn::Sub:
- |-
{
"Comment": "...",
"StartAt": "State1",
"States": {
"State1": {
"Type": "Task",
"Resource": "arn:aws:states:::states:startExecution.sync",
"Parameters": {
"StateMachineArn": "${ChildStateMachineArn}",
"Input": {
"StatePayload": {
"datasetDate.$": "$.datasetDate"
},
"AWS_STEP_FUNCTIONS_STARTED_BY_EXECUTION_ID.$": "$$.Execution.Id"
}
},
"End": true
}
}
}
- {
ChildStateMachineArn:
Fn::GetAtt:
- ChildStateMachine
- Arn
}
RoleArn:
Fn::GetAtt:
- StatesExecutionRole
- Arn
I've also tried to generate ARN by using this string.
arn:aws:states:${AWS::Region}:${AWS::AccountId}:stateMachine:ChildStateMachine
However, this gave error
Failed to call Step Functions for request: 'com.amazonaws.services.stepfunctions.model.CreateStateMachineRequest'. (Service: null; Status Code: 500; Error Code: null; Request ID: null)
I'm able to create other type of state machines using cloud formation. Only when I'm trying to create one that executes a child workflow is not working. When I go to cloud trail, the CreateStateMachineEvent has an error code of Access Denied. I've given Admin Access to the role. Did anyone face this issue and found a solution?
Upvotes: 4
Views: 2530
Answers (3)
Reputation: 53
If anyone is using AWS SAM, you can use an inline policy statement like this:
Policies:
- StepFunctionsExecutionPolicy:
StateMachineName: !GetAtt ChildStepFunction.Name
- Statement:
- Sid: StatesStartExecutionPolicy
Effect: Allow
Action:
- "states:*"
Resource: '*'
- Sid: StatesAccessEventsPolicy
Effect: Allow
Action:
- "events:*"
Resource: '*'
Upvotes: 0
Reputation: 201
For States using the "Wait For callback" patterns (those ending in .sync or .waitForTaskToken) you need special policies, as mentioned here.
Specifically in your case, in addition to the Standard states:StartEecution policy you need to add event-related policies:
- events:PutTargets
- events:PutRule
- events:DescribeRule
And policies dedicated to the Description and Stopping of the execution:
- states:DescribeExecution
- states:StopExecution
Details can be found here
For simplicity, most of the time I use the next policies:
- PolicyName: StatesStartExecutionPolicy
- PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "states:*"
Resource: "*"
- PolicyName: StatesAccessEventsPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "events:*"
Resource: "*"
Upvotes: 5
Reputation: 450
I run into the same issue. I was able to fix after giving the "states:StartExecution" permission to ParentStateMachine.
Create an inline policy for your Parent StatMachine's StatesExecutionRole and add something like below with the ChildStateMachineName. It should fix the issue.
- PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- states:StartExecution
Resource: !GetAtt ChildStateMachine.Arn
Upvotes: 2
Related Questions
- AWS Nested Step Functions
- How can I use a Task State multiple times in AWS Step Functions using the CDK?
- AWS Step Functions - Batch Send Data to Child/Nested Step Function State Machine
- Invoke Multiple Lambdas using AWS step functions
- AWS Step Function: state A pass lambda output to state B
- AWS CloudFormation. Calling synchronously Step Function from API Gateway v1
- AWS Step Function workflow is showing failed status when excuting
- AWS Step Function: How can i invoke multiple instances of same lambda in step function
- How to deploy StepFunciton with trigger by CloudWatch rule?
- Can AWS Step functions have Multiple Nested Workflows as a child (i.e. Parent having multiple childs)