Cross-account access for .sync integration pattern
When you use the .sync
service
integration patterns in your workflows, Step Functions polls the invoked cross-account resource to
confirm the task is complete. This causes a slight delay between the actual task completion time
and the time when Step Functions recognizes the task as complete. The target IAM role needs the required
permissions for a .sync
invocation to complete this polling loop. To do this, the
target IAM role must have a trust policy that allows the source account to assume it.
Additionally, the target IAM role needs the required permissions to complete the polling
loop.
Note
For nested Express Workflows, arn:aws:states:::states:startExecution.sync
isn't currently supported. Use
arn:aws:states:::aws-sdk:sfn:startSyncExecution
instead.
Trust policy update for .sync calls
Update the trust policy of your target IAM role as shown in the following example. The
sts:ExternalId
field further controls who can assume the role. The state
machine's name must include only characters that the Amazon Security Token Service AssumeRole
API
supports. For more information, see AssumeRole in the Amazon Security Token Service API Reference.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "arn:aws-cn:iam::
sourceAccountID
:role/InvokeRole
", }, "Condition": { "StringEquals": { "sts:ExternalId": "arn:aws-cn:states:us-west-2:sourceAccountID
:stateMachine:stateMachineName
" } } } ] }
Permissions required for .sync calls
To grant the permissions required for your state machine, update the required permissions for the target IAM role. For more information, see IAM Policies for integrated services. The Amazon EventBridge permissions from the example policies aren't required. For example, to start a state machine, add the following permissions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "states:StartExecution" ], "Resource": [ "arn:aws-cn:states:
region
:accountID
:stateMachine:stateMachineName
" ] }, { "Effect": "Allow", "Action": [ "states:DescribeExecution", "states:StopExecution" ], "Resource": [ "arn:aws-cn:states:region
:accountID
:execution:stateMachineName
:*" ] } ] }