Cross-account access for .sync integration pattern - Amazon Step Functions
Trust policy update for .sync callsPermissions required for .sync calls
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Cross-account access for .sync integration pattern

When you use the .sync service integration patterns in your workflows, Step Functions polls the invoked cross-account resource to confirm the task is complete. This causes a slight delay between the actual task completion time and the time when Step Functions recognizes the task as complete. The target IAM role needs the required permissions for a .sync invocation to complete this polling loop. To do this, the target IAM role must have a trust policy that allows the source account to assume it. Additionally, the target IAM role needs the required permissions to complete the polling loop.

Note

For nested Express Workflows, arn:aws:states:::states:startExecution.sync isn't currently supported. Use arn:aws:states:::aws-sdk:sfn:startSyncExecution instead.

Trust policy update for .sync calls

Update the trust policy of your target IAM role as shown in the following example. The sts:ExternalId field further controls who can assume the role. The state machine's name must include only characters that the Amazon Security Token Service AssumeRole API supports. For more information, see AssumeRole in the Amazon Security Token Service API Reference.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": "arn:aws-cn:iam::sourceAccountID:role/InvokeRole",
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "arn:aws-cn:states:us-west-2:sourceAccountID:stateMachine:stateMachineName"
        }
      }
    }
  ]
}

Permissions required for .sync calls

To grant the permissions required for your state machine, update the required permissions for the target IAM role. For more information, see IAM Policies for integrated services. The Amazon EventBridge permissions from the example policies aren't required. For example, to start a state machine, add the following permissions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:StartExecution"
      ],
      "Resource": [
        "arn:aws-cn:states:region:accountID:stateMachine:stateMachineName"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeExecution",
        "states:StopExecution"
      ],
      "Resource": [
        "arn:aws-cn:states:region:accountID:execution:stateMachineName:*"
      ]
    }
  ]
}