This repository was archived by the owner on Feb 5, 2024. It is now read-only.
This repository was archived by the owner on Feb 5, 2024. It is now read-only.
Question - Is there an easy way to get authorized to perform: states:StartExecution? #31
Description
Calling stepfunctions.startExecution(params).promise() from a express route/controller is giving me this exception:
{
"message": "User: arn:aws:sts::3333333333:assumed-role/tf-ourservice-development-lambda-execution/sls-ourservice-development-api is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-1:3333333333:stateMachine:generateCourse",
"code": "AccessDeniedException",
"time": "2019-09-27T15:44:01.864Z",
"requestId": "c0c52ee3-fa60-4f49-9b3f-90608696004b",
"statusCode": 400,
"retryable": false,
"retryDelay": 70.21923469758191
}
route/controller
getZipById(req, res) {
return Course.findOne({ where: { id: req.params.id } })
.then(async (course) => {
let generateCourseWorkflowArn = process.env.GENERATE_COURSE_ARN;
if (process.env.STAGE === "localdev") {
generateCourseWorkflowArn = "arn:aws:states:us-east-1:3333333333:stateMachine:GenerateCourse";
}
const params = {
name: `StateMachineGenerateCourse${uuidv4()}`,
stateMachineArn: generateCourseWorkflowArn,
input: JSON.stringify({course: course.dataValues})
};
try {
const data = await stepfunctions.startExecution(params).promise();
} catch (e) {
res.status(400).send(e);
}
})
.catch((error) => res.status(400).send(error));
},
serverless.yml
provider:
...
iamRoleStatements:
- Effect: "Allow"
Action:
- "states:*"
Resource:
- ${self:resources.Outputs.GenerateCourse.Value}
functions:
api:
handler: src/server/api.handler
environment:
GENERATE_COURSE_ARN: ${self:resources.Outputs.GenerateCourse.Value}
DATABASE_ENDPOINT: ${self:custom.environment.databaseEndpoint}
DATABASE_USER: ${self:custom.environment.databaseUser}
DATABASE_PASSWORD: ${self:custom.environment.databasePassword}
DATABASE_NAME: ${self:custom.environment.databaseName}
events: # Use a generic proxy to allow Express app to route.
- http: ANY /api
- http: 'ANY /api/{proxy+}'
generateCourseStart:
handler: src/server/step-functions/generate-course/start.handler
events:
- http: ANY /generate/course/start
generateCourseSistem:
handler: src/server/step-functions/generate-course/sistem.handler
events:
- http: ANY /generate/course/sistem
stepFunctions:
stateMachines:
generateCourse:
name: generateCourse
definition:
Comment: "Generate Course Step Functions Workflow"
StartAt: GenerateCourseStart
States:
GenerateCourseStart:
Type: Task
Resource: ${self:custom.environment.generateCourseStartArn}
Next: GenerateCourseSistem
GenerateCourseSistem:
Type: Task
Resource: ${self:custom.environment.generateCourseSistemArn}
End: true
resources:
Outputs:
GenerateCourse:
Description: The ARN of the example state machine
Value:
Ref: GenerateCourse
Reactions are currently unavailable