尝试根据状态机定义创建状态机时出现以下错误:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateStateMachine operation: 'role' is not authorized to create managed-rule.
创建代码:
state_machine = sfn_client.create_state_machine(
name = 'state-machine',
definition = state_machine_def,
roleArn = SFN_ROLE,
)
我使用的IAM角色包含here中所述的所有必要权限。拥有创建权限需要什么样的托管规则?
答案 0 :(得分:1)
问题是这个
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]:[[accountId]]:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
]
}
根据AWS Step Function nested workflow Execution,您需要为步骤函数角色添加特定的规则以侦听并创建事件StepFunctionsGetEventsForStepFunctionsExecutionRule是您要寻找的规则
答案 1 :(得分:0)
您很可能错过了为IAM角色添加正确的策略。这是official documentation中的一项策略,允许您创建,列出状态机。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:ListStateMachines",
"states:ListActivities",
"states:CreateStateMachine",
"states:CreateActivity"
],
"Resource": [
"arn:aws:states:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam:::role/my-execution-role"
]
}
]
答案 2 :(得分:0)
原因是附加到 SFN_ROLE 的 CloudWatchFullAccess 策略没有足够的权限,无法用于Step Functions工作流将事件发布到CloudWatch。将其替换为 CloudWatchEventsFullAccess 后,一切正常。
答案 3 :(得分:-2)
事实证明,添加CloudWatchEventsFullAccess可用于步进功能