IAM policies for using Distributed Map states
When you create workflows with the Step Functions console, Step Functions can automatically generate IAM policies based on the resources in your workflow definition. These policies include the least privileges necessary to allow the state machine role to invoke the StartExecution
API action for the Distributed Map state. These policies also include the least privileges necessary Step Functions to access Amazon resources, such as Amazon S3 buckets and objects and Lambda functions. We highly recommend that you include only those permissions that are necessary in your IAM policies. For example, if your workflow includes a Map
state in Distributed mode, scope your policies down to the specific Amazon S3 bucket and folder that contains your dataset.
Important
If you specify an Amazon S3 bucket and object, or prefix, with a reference path to an existing key-value pair in your Distributed Map state input, make sure that you update the IAM policies for your workflow. Scope the policies down to the bucket and object names the path resolves to at runtime.
Example of IAM policy for running a Distributed Map state
When you include a Distributed Map state in your workflows, Step Functions needs appropriate permissions to allow the state machine role to invoke the StartExecution
API action for the Distributed Map state.
The following IAM policy example grants the least privileges required to your state machine role for running the Distributed Map state.
Note
Make sure that you replace
with the name of the state machine in which you're using the Distributed Map state. For example, stateMachineName
arn:aws-cn:states:
.us-west-2
:123456789012
:stateMachine:mystateMachine
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "states:StartExecution" ], "Resource": [ "arn:aws-cn:states:
region
:accountID
:stateMachine:stateMachineName
" ] }, { "Effect": "Allow", "Action": [ "states:DescribeExecution", "states:StopExecution" ], "Resource": "arn:aws-cn:states:region
:accountID
:execution:stateMachineName
:*" } ] }
Example of IAM policy for redriving a Distributed Map
You can restart unsuccessful child workflow executions in a Map Run by redriving your parent workflow. A redriven
parent workflow redrives all the unsuccessful states, including Distributed Map. Make sure that your execution role has the least privileges necessary to allow it to invoke the RedriveExecution
API action on the parent workflow.
The following IAM policy example grants the least privileges required to your state machine role for redriving a Distributed Map state.
Note
Make sure that you replace
with the name of the state machine in which you're using the Distributed Map state. For example, stateMachineName
arn:aws-cn:states:
.us-west-2
:123456789012
:stateMachine:mystateMachine
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "states:RedriveExecution" ], "Resource": "arn:aws-cn:states:us-west-2:
123456789012
:execution:myStateMachine
/myMapRunLabel
:*" } ] }
Examples of IAM policies for reading data from Amazon S3 datasets
The following IAM policy examples grant the least privileges required to access your Amazon S3 datasets using the ListObjectsV2 and GetObject API actions.
Example IAM policy for Amazon S3 object as dataset
The following example shows an IAM policy that grants the least privileges to access
the objects organized within
in an
Amazon S3 bucket named processImages
.amzn-s3-demo-bucket
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws-cn:s3:::
amzn-s3-demo-bucket
" ], "Condition": { "StringLike": { "s3:prefix": [ "processImages
" ] } } } ] }
Example IAM policy for a CSV file as dataset
The following example shows an IAM policy that grants least privileges to access a
CSV file named
.ratings.csv
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws-cn:s3:::
amzn-s3-demo-bucket
/csvDataset
/ratings.csv
" ] } ] }
Example IAM policy for an Amazon S3 inventory as dataset
The following example shows an IAM policy that grants least privileges to access an Amazon S3 inventory report.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws-cn:s3:::
destination-prefix
/amzn-s3-demo-bucket
/config-ID
/YYYY-MM-DDTHH-MMZ
/manifest.json", "arn:aws-cn:s3:::destination-prefix
/amzn-s3-demo-bucket
/config-ID
/data/*" ] } ] }
Example of IAM policy for writing data to an Amazon S3 bucket
The following IAM policy example grants the least privileges required to write your
child workflow execution results to a folder named csvJobs
in an
Amazon S3 bucket using the PutObject
API
action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws-cn:s3:::
amzn-s3-demo-destination-bucket
/csvJobs
/*" ] } ] }
IAM permissions for Amazon KMS key encrypted Amazon S3 bucket
Distributed Map state uses multipart uploads to write the child workflow execution results to an Amazon S3 bucket. If the bucket is encrypted using an Amazon Key Management Service (Amazon KMS) key, you must also include permissions in your IAM policy to perform the kms:Decrypt
, kms:Encrypt
, and kms:GenerateDataKey
actions on the key. These permissions are required because Amazon S3 must decrypt and read data from the encrypted file parts before it completes the multipart upload.
The following IAM policy example grants permission to the kms:Decrypt
, kms:Encrypt
, and kms:GenerateDataKey
actions on the key used to encrypt your Amazon S3 bucket.
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey" ], "Resource": [ "arn:aws-cn:kms:us-east-1:
123456789012
:key/111aa2bb-333c-4d44-5555-a111bb2c33dd
" ] } }
For more information, see Uploading
a large file to Amazon S3 with encryption using an Amazon KMS key
If your IAM user or role is in the same Amazon Web Services account as the KMS key, then you must have these permissions on the key policy. If your IAM user or role belongs to a different account than the KMS key, then you must have the permissions on both the key policy and your IAM user or role.