Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect IAM Policy for serverless step functions in distributed mode without name specified #579

Closed
cm-kojimat opened this issue Aug 22, 2023 · 0 comments
Closed

Incorrect IAM Policy for serverless step functions in distributed mode without name specified #579

cm-kojimat opened this issue Aug 22, 2023 · 0 comments

Comments

@cm-kojimat
Copy link

This is a Bug Report

Description

  • What went wrong?

    Incorrect IAM policies are being generated under certain conditions which triggered an error when running the start-execution command for the AWS StepFunctions service. The issues that need to be addressed are:

    1. The ARN is incorrectly generated when the name property is not specified for the state machine.
    Details

    the ID of the state machine (stateMachineId) is being used instead of the name property. This can be seen here. However, when name is not specified, AWS CloudFormation generates a name for the state machine automatically. Hence, the mapping function { "Fn::GetAtt": ["${stateMachineId}", "Name"] } should be used instead of stateMachineId.

  • What did you expect should have happened?

    The IAM policy should grant the correct permissions for State Machine execution even when the name property isn't specified.

  • What was the config you used?

    serverless.yaml

    service: issue1
provider:
  name: aws
  region: us-east-2
plugins:
  - serverless-step-functions
stepFunctions:
  stateMachines:
    issue1:
      definition:
        StartAt: GenList
        States:
          GenList:
            Type: Pass
            Next: Map
            Result:
              - 1
              - 2
              - 3
          Map:
            Type: Map
            ItemProcessor:
              ProcessorConfig:
                Mode: DISTRIBUTED
                ExecutionType: STANDARD
              StartAt: Pass
              States:
                Pass:
                  Type: Pass
                  End: true
            End: true
            MaxConcurrency: 1000

  • What error message from your provider did you see?

    The following error was received when executing the aws stepfunctions start-execution command:

    "cause": "Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/issue1-dev-Issue1StepFunctionsStateMachineRole-CDE9KTMBFV9C/UdtRefqtkMikXPXBEnIuhZhKoNZaDIEP is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 7bdf772f-a7d6-4428-814a-cf90fabdfd09)"

Additional Data

  • Serverless Framework Core Version you're using: 3.34.0
  • The Plugin Version you're using: 3.14.0
  • Operating System: macOS 13.4.1 (ARM64)
  • Provider Error messages: Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/issue1-dev-Issue1StepFunctionsStateMachineRole-CDE9KTMBFV9C/UdtRefqtkMikXPXBEnIuhZhKoNZaDIEP is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 7bdf772f-a7d6-4428-814a-cf90fabdfd09)
Logs 
$ npx serverless deploy
$ npx serverless info --verbose
service: issue1
stage: dev
region: us-east-2
stack: issue1-dev

Stack Outputs:
  Issue1StepFunctionsStateMachineArn: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2
  ServerlessDeploymentBucketName: issue1-dev-serverlessdeploymentbucket-xoeed6cmgwo4

$ aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2
{
    "executionArn": "arn:aws:states:us-east-2:123456789012:execution:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2:a2856cff-5377-4ed6-95be-5d0ef0b8b3c0",
    "startDate": "2023-08-22T17:52:19.712000+09:00"
}

$ aws stepfunctions describe-execution --execution-arn "arn:aws:states:us-east-2:123456789012:execution:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2:a2856cff-5377-4ed6-95be-5d0ef0b8b3c0"
{
    "executionArn": "arn:aws:states:us-east-2:123456789012:execution:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2:a2856cff-5377-4ed6-95be-5d0ef0b8b3c0",
    "stateMachineArn": "arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2",
    "name": "a2856cff-5377-4ed6-95be-5d0ef0b8b3c0",
    "status": "FAILED",
    "startDate": "2023-08-22T17:52:19.712000+09:00",
    "stopDate": "2023-08-22T17:52:27.256000+09:00",
    "input": "{}",
    "inputDetails": {
        "included": true
    },
    "error": "States.Runtime",
    "cause": "Error contacting AWS Service. | Message from Service: User: arn:aws:sts::123456789012:assumed-role/issue1-dev-Issue1StepFunctionsStateMachineRole-CDE9KTMBFV9C/UdtRefqtkMikXPXBEnIuhZhKoNZaDIEP is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-2:123456789012:stateMachine:Issue1StepFunctionsStateMachine-wy5Zatw0sbt2 because no identity-based policy allows the states:StartExecution action (Service: Sfn, Status Code: 400, Request ID: 7bdf772f-a7d6-4428-814a-cf90fabdfd09)"
}

$ vim serverless.yml # set name: issue2

$ npx serverless deploy
$ npx serverless info --verbose
service: issue1
stage: dev
region: us-east-2
stack: issue1-dev

Stack Outputs:
  Issue2Arn: arn:aws:states:us-east-2:123456789012:stateMachine:issue2
  ServerlessDeploymentBucketName: issue1-dev-serverlessdeploymentbucket-xoeed6cmgwo4

$ aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-2:123456789012:stateMachine:issue2
{
    "executionArn": "arn:aws:states:us-east-2:123456789012:execution:issue2:3ac713e0-babb-44d8-b9c2-2466d0b3ee7b",
    "startDate": "2023-08-22T17:54:18.705000+09:00"
}

$ aws stepfunctions describe-execution --execution-arn "arn:aws:states:us-east-2:123456789012:execution:issue2:3ac713e0-babb-44d8-b9c2-2466d0b3ee7b"
{
    "executionArn": "arn:aws:states:us-east-2:123456789012:execution:issue2:3ac713e0-babb-44d8-b9c2-2466d0b3ee7b",
    "stateMachineArn": "arn:aws:states:us-east-2:123456789012:stateMachine:issue2",
    "name": "3ac713e0-babb-44d8-b9c2-2466d0b3ee7b",
    "status": "SUCCEEDED",
    "startDate": "2023-08-22T17:54:18.705000+09:00",
    "stopDate": "2023-08-22T17:54:21.507000+09:00",
    "input": "{}",
    "inputDetails": {
        "included": true
    },
    "output": "[1,2,3]",
    "outputDetails": {
        "included": true
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cm-kojimat