Identity and Access Management in Amazon Simple Workflow Service - Amazon Simple Workflow Service
AuthenticationAccess ControlBasic PrinciplesAmazon SWF IAM PoliciesAPI Summary
AWS services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with AWS services in China.

Identity and Access Management in Amazon Simple Workflow Service

Access to AWS Step Functions requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as retrieving event data from other AWS resources. The following sections provide details on how you can use AWS Identity and Access Management (IAM) and Step Functions to help secure your resources by controlling who can access them:

Authentication

You can access AWS as any of the following types of identities:

  • AWS account root user – When you sign up for AWS, you provide an email address and password that is associated with your account. These are your root credentials, and they provide complete access to all of your AWS resources.

    Important

    For security reasons, we recommend that you use the root credentials only to create an administrator, which is an IAM user with full permissions to your account. Then you can use this administrator to create other IAM users and roles with limited permissions. For more information, see IAM Best Practices and Creating an Admin User and Group in the IAM User Guide.

  • IAM user – An IAM user is an identity within your account that has specific custom permissions (for example, permissions to send event data to a target in Amazon SWF). You can use an IAM user name and password to sign in to secure AWS webpages such as the AWS Management Console, AWS Discussion Forums, or the AWS Support Center.

     

    In addition to a user name and password, you can also generate access keys for each user. You can use these keys when you access AWS services programmatically, either through one of the several SDKs or by using the AWS Command Line Interface (AWS CLI). The SDK and AWS CLI tools use the access keys to cryptographically sign your request. If you don’t use the AWS tools, you must sign the request yourself. Amazon Simple Workflow Service supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 Signing Process in the Amazon Web Services General Reference.

     

  • IAM role – An IAM role is another IAM identity that you can create in your account that has specific permissions. It's similar to an IAM user, but it isn't associated with a specific person. An IAM role enables you to obtain temporary access keys that can be used to access AWS services and resources. IAM roles with temporary credentials are useful in the following situations:

     

    • Federated user access – Instead of creating an IAM user, you can use preexisting identities from AWS Directory Service, your enterprise user directory, or a web identity provider (IdP). These are known as federated users. AWS assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see Federated Users and Roles in the IAM User Guide.

       

    • Cross-account access – You can use an IAM role in your account to grant another account permissions to access your account’s resources. For an example, see Tutorial: Delegate Access Across AWS Accounts Using IAM Roles in the IAM User Guide.

       

    • AWS service access – You can use an IAM role in your account to grant to an AWS service the permissions needed to access your account’s resources. For example, you can create a role that allows Amazon Redshift to access an Amazon S3 bucket on your behalf and then load data stored in the bucket into an Amazon Redshift cluster. For more information, see Creating a Role to Delegate Permissions to an AWS Service in the IAM User Guide.

       

    • Applications running on Amazon EC2 – Instead of storing access keys in the EC2 instance for use by applications running on the instance and making AWS API requests, you can use an IAM role to manage temporary credentials for these applications. To assign an AWS role to an EC2 instance and make it available to all of its applications, you can create an instance profile that is attached to the instance. An instance profile contains the role and enables programs running on the EC2 instance to get temporary credentials. For more information, see Using Roles for Applications on Amazon EC2 in the IAM User Guide.

Access Control

You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access Amazon SWF resources. For example, you must have permissions to invoke AWS Lambda, Amazon Simple Notification Service (Amazon SNS), and Amazon Simple Queue Service (Amazon SQS) targets associated with your Amazon SWF rules.

The following sections describe how to manage permissions for Amazon SWF. We recommend that you read the overview first.

Basic Principles

Amazon SWF access control is based primarily on two types of permissions:

  • Resource permissions: Which Amazon SWF resources a user can access.

    You can express resource permissions only for domains.

  • API permissions: Which Amazon SWF actions a user can call.

The simplest approach is to grant full account access—call any Amazon SWF action in any domain—or deny access entirely. However, IAM supports a more granular approach to access control that is often more useful. For example, you could:

  • Allow a user to call any Amazon SWF action without restrictions, but only in a specified domain. You could use such a policy to allow workflow applications that are under development to use any action, but only a "sandbox" domain.

  • Allow a user to access any domain, but constrain how they use the API. You could use such a policy to allow an "auditor" application to call the API in any domain, but allow only read access.

  • Allow a user to call only a limited set of actions in certain domains. You could use such a policy to allow a workflow starter to call only the StartWorkflowExecution action in a specified domain.

Amazon SWF access control is based on the following principles:

  • Access control decisions are based only on IAM policies; all policy auditing and manipulation is done through IAM.

  • The access control model uses a deny-by-default policy; any access that isn't explicitly allowed is denied.

  • You control access to Amazon SWF resources by attaching appropriate IAM policies to the workflow's actors.

  • Resource permissions can be expressed only for domains.

  • You can further constrain the usage of some actions by applying conditions to one or more parameters.

  • If you grant permission to use RespondDecisionTaskCompleted, you can express permissions for the list of decisions included in that action.

    Each of the decisions has one or more parameters, much like a regular API call. To allow for policies to be as readable as possible, you can express permissions on decisions as if they were actual API calls, including applying conditions to some parameters. These types of permissions are called pseudo API permissions.

For a summary of which regular and pseudo API parameters can be constrained by using conditions, see API Summary.

Amazon SWF IAM Policies

An IAM policy contains one or more Statement elements, each of which contains a set of elements that define the policy. For a complete list of elements and a general discussion of how to construct policies, see The Access Policy Language. Amazon SWF access control is based on the following elements:

Effect

(Required) The effect of the statement: deny or allow.

Note

You must explicitly allow access; IAM denies access by default.

Resource

(Required) The resource—an entity in an AWS service that a user can interact with—that the statement applies to.

You can express resource permissions only for domains. For example, a policy can allow access to only certain domains in your account. To express permissions for a domain, set Resource to the domain's Amazon Resource Name (ARN), which has the format "arn:aws-cn:swf:Region:AccountID:/domain/DomainName". Region is the AWS region, AccountID is the account ID with no dashes, and DomainName is the domain name.

Action

(Required) The action that the statement applies to, which you refer to by using the following format: serviceId:action. For Amazon SWF, set serviceID to swf. For example, swf:StartWorkflowExecution refers to the StartWorkflowExecution action, and is used to control which users are allowed to start workflows.

If you grant permission to use RespondDecisionTaskCompleted, you can also control access to the included list of decisions by using Action to express permissions for the pseudo API. Because IAM denies access by default, a decider's decision must be explicitly allowed or it will not be accepted. You can use a * value to allow all decisions.

Condition

(Optional) Expresses a constraint on one or more of an action's parameters, which restricts the allowed values.

Amazon SWF actions often have a wide scope, which you can reduce by using IAM conditions. For example, to limit which task lists the PollForActivityTask action is allowed to access, you include a Condition and use the swf:taskList.name key to specify the allowable lists.

You can express constraints for the following entities.

  • The workflow type. The name and version have separate keys.

  • The activity type. The name and version have separate keys.

  • Task lists.

  • Tags. You can specify multiple tags for some actions. In that case, each tag has a separate key.

Note

For Amazon SWF, the values are all strings so you constrain a parameter by using a string operator such as StringEquals, which restricts the parameter to a specified string. However, the regular string comparison operators such as StringEquals require all requests to include the parameter. If you don't include the parameter explicitly, and there is no default value such as the default task list provided during type registration, access will be denied.

It is often useful to treat conditions as optional, so that you can call an action without necessarily including the associated parameter. For example, you might want to allow a decider to specify a set of RespondDecisionTaskCompleted decisions, but also allow it to specify only one of them for any particular call. In that case, you constrain the appropriate parameters by using a StringEqualsIfExists operator, which allows access if the parameter satisfies the condition, but doesn't deny access if the parameter is absent.

For a complete list of constrainable parameters and the associated keys, see API Summary.

The following section provides examples of how to construct Amazon SWF policies. For details, see String Conditions.

Amazon SWF Policy Examples

A workflow consists of multiple actors—activities, deciders, and so on. You can control access for each actor by attaching an appropriate IAM policy. This section provides some examples. The following shows the simplest case: 

{
   "Version": "2012-10-17",
   "Statement" : [ {
      "Effect" : "Allow",
      "Action" : "swf:*",
      "Resource" : "arn:aws-cn:swf:*:123456789012:/domain/*"
   } ]
}

If you attach this policy to an actor, it has full account access across all regions. You can use wildcards to have a single value represent multiple resources, actions, or regions.

  • The first wildcard (*) in the Resource value indicates that the resource permissions apply to all regions. To restrict permissions to a single region, replace the wildcard with the appropriate region string, such as us-east-1.

  • The second wildcard (*) in the Resource value allows the actor to access any of the account's domains in the specified regions.

  • The wildcard (*) in the Action value allows the actor to call any Amazon SWF action.

For details on how to use wildcards, see Element Descriptions

The following sections show examples of policies that grant permissions in a more granular way.

Domain Permissions

If you want to restrict a department's workflows to a particular domain, you can use something like: 

{
   "Version": "2012-10-17",
   "Statement": [ {
      "Effect" : "Allow",
      "Action" : "swf:*",
      "Resource" : "arn:aws-cn:swf:*:123456789012:/domain/department1"
   } ]
}

If you attach this policy to an actor, it can call any action, but only for the department1 domain.

If you want an actor to have access to more than one domain, you can express permission for each domain separately, as follows: 

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect" : "Allow",
         "Action" : "swf:*",
         "Resource" : "arn:aws-cn:swf:*:123456789012:/domain/department1"
      }, {
         "Effect" : "Allow",
         "Action" : "swf:*",
         "Resource" : "arn:aws-cn:swf:*:123456789012:/domain/department2"
      }
   ]
}

If you attach this policy to an actor, it can use any Amazon SWF action in the department1 and department2 domains. You can also sometimes use wildcards to represent multiple domains.

API Permissions and Constraints

You control which actions an actor can use with the Action element. Optionally, you can constrain the action's allowable parameter values by using a Condition element.

If you want to restrict an actor to only certain actions, you can use something like the following: 

{
   "Version": "2012-10-17",
   "Statement": [ {
      "Effect" : "Allow",
      "Action" : "swf:StartWorkflowExecution",
      "Resource" : "arn:aws-cn:swf:*:123456789012:/domain/department2"
   } ]
}

If you attach this policy to an actor, it can call StartWorkflowExecution to start workflows in the department2 domain. It can't use any other actions or start workflows in any other domains.

You can further restrict which workflows an actor can start by constraining one or more of the StartWorkflowExecution parameter values, as follows: 

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect" : "Allow",
         "Action" : "swf:StartWorkflowExecution",
         "Resource" : "arn:aws-cn:swf:*:123456789012:/domain/department1",
         "Condition" : {
            "StringEquals" : { 
               "swf:workflowType.name" : "workflow1",
               "swf:workflowType.version" : "version2" 
            }
         }
      }
   ]
}

This policy constrains the StartWorkflowExecution action's name and version parameters. If you attach the policy to an actor, it can run only version2 of workflow1 in the department1 domain and both parameters must be included in the request.

You can constrain a parameter without requiring it to be included in a request by using a StringEqualsIfExists operator, as follows: 

{
   "Version": "2012-10-17",
   "Statement" : [ {
      "Effect" : "Allow",
      "Action" : "swf:StartWorkflowExecution",
      "Resource" : "arn:aws-cn:swf:*:123456789012:/domain/some_domain",
      "Condition" : {
         "StringEqualsIfExists" : { "swf:taskList.name" : "task_list_name" }
      }
   } ]
}

This policy allows an actor to optionally specify a task list when starting a workflow execution.

You can constrain a list of tags for some actions. In that case, each tag has a separate key, so you use swf:tagList.member.0 to constrain the first tag in the list, swf:tagList.member.1 to constrain the second tag in the list, and so on, up to a maximum of 5. However, you must be careful how you constrain tag lists. For instance, here is an example of a policy that is not recommended: 


{
   "Version": "2012-10-17",
   "Statement" : [ {
      "Effect" : "Allow",
      "Action" : "swf:StartWorkflowExecution",
      "Resource" : "arn:aws-cn:swf:*:123456789012:/domain/some_domain",
      "Condition" : {
         "StringEqualsIfExists" : {
            "swf:tagList.member.0" : "some_ok_tag", "another_ok_tag"
         }
      }
   } ]
}

This policy allows you to optionally specify either some_ok_tag or another_ok_tag. However, this policy constrains only the first element of the tag list. The list could have additional elements with arbitrary values that would all be allowed because this policy doesn't apply any conditions to swf:tagList.member.1, swf:tagList.member.2, and so on .

One way to address this issue is to disallow the use of tag lists. The following policy ensures that only some_ok_tag or another_ok_tag are allowed by requiring the list to have only one element. 

{
   "Version": "2012-10-17",
   "Statement" : [ {
      "Effect" : "Allow",
      "Action" : "swf:StartWorkflowExecution",
      "Resource" : "arn:aws-cn:swf:*:123456789012:/domain/some_domain",
      "Condition" : {
         "StringEqualsIfExists" : {
            "swf:tagList.member.0" : "some_ok_tag", "another_ok_tag"
         },
         "Null" : { "swf:tagList.member.1" : "true" }
      }
   } ]
}

Pseudo API Permissions and Constraints

If you want to restrict the decisions available to RespondDecisionTaskCompleted, you must first allow the actor to call RespondDecisionTaskCompleted. You can then express permissions for the appropriate pseudo API members by using the same syntax as for the regular API, as follows: 

{
   "Version": "2012-10-17",
   "Statement" : [
      {
         "Resource" : "arn:aws-cn:swf:*:123456789012:/domain/*",
         "Action" : "swf:RespondDecisionTaskCompleted",
         "Effect" : "Allow"
      }, {
         "Resource" : "*",
         "Action" : "swf:ScheduleActivityTask",
         "Effect" : "Allow",
         "Condition" : {
            "StringEquals" : { "swf:activityType.name" : "SomeActivityType" }
         }
      }
   ]
}

If you attach this policy to an actor, the first Statement element allows the actor to call RespondDecisionTaskCompleted. The second element allows the actor to use the ScheduleActivityTask decision to direct Amazon SWF to schedule an activity task. To allow all decisions, replace "swf:ScheduleActivityTask" with "swf:*".

You can use Condition operators to constrain parameters just as with the regular API. The StringEquals operator in this Condition allows RespondDecisionTaskCompleted to schedule an activity task for the SomeActivityType activity, and it must schedule that task. If you want to allow RespondDecisionTaskCompleted to use a parameter value but not require it to do so, you can instead use the StringEqualsIfExists operator.

Service Model Limitations on IAM Policies

You must consider service model constraints when creating IAM policies. It is possible to create a syntactically valid IAM policy that represents an invalid Amazon SWF request; a request that is allowed in terms of access control can still fail because it is an invalid request.

For instance, the following policy for ListOpenWorkflowExecutions is not recommended: 

{
   "Version": "2012-10-17",
   "Statement" : [ {
      "Effect" : "Allow",
      "Action" : "swf:ListOpenWorkflowExecutions",
      "Resource" : "arn:aws-cn:swf:*:123456789012:/domain/domain_name",
      "Condition" : {
         "StringEquals" : { 
            "swf:typeFilter.name" : "workflow_name",
            "swf:typeFilter.version" : "workflow_version",
            "swf:tagFilter.tag" : "some_tag" 
         }
      }
   } ]
}

The Amazon SWF service model doesn't allow the typeFilter and tagFilter parameters to be used in the same ListOpenWorkflowExecutions request. The policy therefore allows calls that the service will reject—by throwing ValidationException—as an invalid request.

API Summary

This section briefly describes how you can use IAM policies to control how an actor can use each API and pseudo API to access Amazon SWF resources.

  • For all actions except RegisterDomain and ListDomains, you can allow or deny access to any or all of an account's domains by expressing permissions for the domain resource.

  • You can allow or deny permission for any member of the regular API and, if you grant permission to call RespondDecisionTaskCompleted, any member of the pseudo API.

  • You can use a Condition to constrain some parameters' allowable values.

The following sections list the parameters that can be constrained for each member of the regular and pseudo API and provide the associated key, and note any limitations on how you can control domain access.

Regular API

This section lists the regular API members, and briefly describes the parameters that can be constrained and the associated keys. It also notes any limitations on how you can control domain access.

CountClosedWorkflowExecutions

  • tagFilter.tag – String constraint. The key is swf:tagFilter.tag

  • typeFilter.name – String constraint. The key is swf:typeFilter.name.

  • typeFilter.version – String constraint. The key is swf:typeFilter.version.

Note

CountClosedWorkflowExecutions requires typeFilter and tagFilter to be mutually exclusive.

CountOpenWorkflowExecutions

  • tagFilter.tag – String constraint. The key is swf:tagFilter.tag

  • typeFilter.name – String constraint. The key is swf:typeFilter.name.

  • typeFilter.version – String constraint. The key is swf:typeFilter.version.

Note

CountOpenWorkflowExecutions requires typeFilter and tagFilter to be mutually exclusive.

CountPendingActivityTasks

  • taskList.name – String constraint. The key is swf:taskList.name.

CountPendingDecisionTasks

  • taskList.name – String constraint. The key is swf:taskList.name.

DeprecateActivityType

  • activityType.name – String constraint. The key is swf:activityType.name.

  • activityType.version – String constraint. The key is swf:activityType.version.

DeprecateDomain

  • You can't constrain this action's parameters.

DeprecateWorkflowType

  • workflowType.name – String constraint. The key is swf:workflowType.name.

  • workflowType.version – String constraint. The key is swf:workflowType.version.

DescribeActivityType

  • activityType.name – String constraint. The key is swf:activityType.name.

  • activityType.version – String constraint. The key is swf:activityType.version.

DescribeDomain

  • You can't constrain this action's parameters.

DescribeWorkflowExecution

  • You can't constrain this action's parameters.

DescribeWorkflowType

  • workflowType.name – String constraint. The key is swf:workflowType.name.

  • workflowType.version – String constraint. The key is swf:workflowType.version.

GetWorkflowExecutionHistory

  • You can't constrain this action's parameters.

ListActivityTypes

  • You can't constrain this action's parameters.

ListClosedWorkflowExecutions

  • tagFilter.tag – String constraint. The key is swf:tagFilter.tag

  • typeFilter.name – String constraint. The key is swf:typeFilter.name.

  • typeFilter.version – String constraint. The key is swf:typeFilter.version.

Note

ListClosedWorkflowExecutions requires typeFilter and tagFilter to be mutually exclusive.

ListDomains

  • You can't constrain this action's parameters.

ListOpenWorkflowExecutions

  • tagFilter.tag – String constraint. The key is swf:tagFilter.tag

  • typeFilter.name – String constraint. The key is swf:typeFilter.name.

  • typeFilter.version – String constraint. The key is swf:typeFilter.version.

Note

ListOpenWorkflowExecutions requires typeFilter and tagFilter to be mutually exclusive.

ListWorkflowTypes

  • You can't constrain this action's parameters.

PollForActivityTask

  • taskList.name – String constraint. The key is swf:taskList.name.

PollForDecisionTask

  • taskList.name – String constraint. The key is swf:taskList.name.

RecordActivityTaskHeartbeat

  • You can't constrain this action's parameters.

RegisterActivityType

  • defaultTaskList.name – String constraint. The key is swf:defaultTaskList.name.

  • name – String constraint. The key is swf:name.

  • version – String constraint. The key is swf:version.

RegisterDomain

  • name – The name of the domain being registered is available as the resource of this action.

RegisterWorkflowType

  • defaultTaskList.name – String constraint. The key is swf:defaultTaskList.name.

  • name – String constraint. The key is swf:name.

  • version – String constraint. The key is swf:version.

RequestCancelWorkflowExecution

  • You can't constrain this action's parameters.

RespondActivityTaskCanceled

  • You can't constrain this action's parameters.

RespondActivityTaskCompleted

  • You can't constrain this action's parameters.

RespondActivityTaskFailed

  • You can't constrain this action's parameters.

RespondDecisionTaskCompleted

  • decisions.member.N – Restricted indirectly through pseudo API permissions. For details, see Pseudo API.

SignalWorkflowExecution

  • You can't constrain this action's parameters.

StartWorkflowExecution

  • tagList.member.0 – String constraint. The key is swf:tagList.member.0

  • tagList.member.1 – String constraint. The key is swf:tagList.member.1

  • tagList.member.2 – String constraint. The key is swf:tagList.member.2

  • tagList.member.3 – String constraint. The key is swf:tagList.member.3

  • tagList.member.4 – String constraint. The key is swf:tagList.member.4

  • taskList.name – String constraint. The key is swf:taskList.name.

  • workflowType.name – String constraint. The key is swf:workflowType.name.

  • workflowType.version – String constraint. The key is swf:workflowType.version.

Note

You can't constrain more than five tags.

TerminateWorkflowExecution

  • You can't constrain this action's parameters.

Pseudo API

This section lists the members of the pseudo API, which represent the decisions included in RespondDecisionTaskCompleted. If you have granted permission to use RespondDecisionTaskCompleted, your policy can express permissions for the members of this API in the same way as the regular API. You can further restrict some members of the pseudo-API by setting conditions on one or more parameters. This section lists the pseudo API members, and briefly describes the parameters that can be constrained and the associated keys.

Note

The aws:SourceIP, aws:UserAgent, and aws:SecureTransport keys are not available for the pseudo API. If your intended security policy requires these keys to control access to the pseudo API, you can use them with the RespondDecisionTaskCompleted action.

CancelTimer

  • You can't constrain this action's parameters.

CancelWorkflowExecution

  • You can't constrain this action's parameters.

CompleteWorkflowExecution

  • You can't constrain this action's parameters.

ContinueAsNewWorkflowExecution

  • tagList.member.0 – String constraint. The key is swf:tagList.member.0

  • tagList.member.1 – String constraint. The key is swf:tagList.member.1

  • tagList.member.2 – String constraint. The key is swf:tagList.member.2

  • tagList.member.3 – String constraint. The key is swf:tagList.member.3

  • tagList.member.4 – String constraint. The key is swf:tagList.member.4

  • taskList.name – String constraint. The key is swf:taskList.name.

  • workflowTypeVersion – String constraint. The key is swf:workflowTypeVersion.

Note

You can't constrain more than five tags.

FailWorkflowExecution

  • You can't constrain this action's parameters.

RecordMarker

  • You can't constrain this action's parameters.

RequestCancelActivityTask

  • You can't constrain this action's parameters.

RequestCancelExternalWorkflowExecution

  • You can't constrain this action's parameters.

ScheduleActivityTask

  • activityType.name – String constraint. The key is swf:activityType.name.

  • activityType.version – String constraint. The key is swf:activityType.version.

  • taskList.name – String constraint. The key is swf:taskList.name.

SignalExternalWorkflowExecution

  • You can't constrain this action's parameters.

StartChildWorkflowExecution

  • tagList.member.0 – String constraint. The key is swf:tagList.member.0

  • tagList.member.1 – String constraint. The key is swf:tagList.member.1

  • tagList.member.2 – String constraint. The key is swf:tagList.member.2

  • tagList.member.3 – String constraint. The key is swf:tagList.member.3

  • tagList.member.4 – String constraint. The key is swf:tagList.member.4

  • taskList.name – String constraint. The key is swf:taskList.name.

  • workflowType.name – String constraint. The key is swf:workflowType.name.

  • workflowType.version – String constraint. The key is swf:workflowType.version.

Note

You can't constrain more than five tags.

StartTimer

  • You can't constrain this action's parameters.