What permissions does the 'invoke stepfunction' role (created from cloudwatch events console) have?

Asked 5/1, 2021 at 14:42 Answered 16/5, 2022 at 3:15

Solved terraform amazon-cloudwatch state-machine aws-step-functions amazon-cloudwatch-events

I'm following this article to go through the steps on how to set up a cloudwatch rule in the AWS console to trigger a StepFunction state machine, link:https://blog.shikisoft.com/3-ways-to-schedule-aws-lambda-and-step-functions-state-machines/

One of the steps, in the console it can create a new role to give cloudwatch events permission to trigger statemachine, for some reason I have permission issue when trying this step, can someone try this process and copy the permission/policy of this new role for me? So that I can use it in Terraform definition. Hope this makes sense, thanks.

Guyenne answered 5/1, 2021 at 14:42 Comment(0)

This role gives Cloudwatch Events (not rebranded as EventBridge) to assume role as you and then start execution for the state machine.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
             "Action": [ "states:StartExecution" ],
            "Resource": [ "arn:aws:states:*:*:stateMachine:*" ]
        }
     ]
}

This wiki might be helpful https://docs.aws.amazon.com/eventbridge/latest/userguide/iam-identity-based-access-control-eventbridge.html#target-permissions-eventbridge

for some reason I have permission issue when trying this step

You may not have the permission to either create target or IAM roles. I'd recommend checking the permission of the role you are using in the console.

Hessian answered 5/1, 2021 at 15:2 Comment(4)

Hi I'm not using eventbridge, I'm using cloudwatch events, I thought I would need events.amazon.com as well? – Guyenne 5/1, 2021 at 15:11

and I notice when I setup the definition for creating the state machine, I have an existing role which has the required permission, does that mean I can use the same role ? – Guyenne 5/1, 2021 at 15:14

both are the same service. EventBridge is just the new name for Cloudwatch Events. The EventBridge documentation is more up to date. – Hessian 5/1, 2021 at 15:22

you can always use an existing role; though eventbridge doesn't check if the role has the necessary permission. Also, usually it's best practice to not reuse roles unless you're confident that it will not be changed accidentally. – Hessian 5/1, 2021 at 15:23

I suggest you to declare an IAM Role and link it to your "event rule", like in this CloudFormation example, which listens to changes in an S3 bucket:

S3EventRole:
  Type: AWS::IAM::Role
  Properties:
    Path: /
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - events.amazonaws.com
          Action: sts:AssumeRole
    Policies:
      - PolicyName: CallStepFunctions
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - states:StartExecution
              Resource:
                - !Ref MainFlow
## Event Rule
S3EventRule:
  Type: AWS::Events::Rule
  Properties:
    Name: your-S3EventRule
    Targets:
      - Id: event_from_S3EventRule
        Arn: your-stepfunctions-arn
        RoleArn: !GetAtt S3EventRole.Arn
    EventPattern:
      source:
        - aws.s3
      detail-type:
        - Object Created
        - Object Deleted
      detail:
        bucket:
          name:
            - your-bucket

Settles answered 16/5, 2022 at 3:15 Comment(0)

Recommended topics

Hot tags