IAM policies for Amazon Lambda calls in Step Functions
The following example templates show how Amazon Step Functions generates IAM policies based on the resources in your state machine definition. For more information, see How Step Functions generates IAM policies for integrated services and Discover service integration patterns in Step Functions.
Amazon Step Functions generates an IAM policy based on your state machine definition. For a state
machine with two Amazon Lambda task states that call function1
and
function2
, a policy with lambda:Invoke
permissions for the two
functions must be used.
This is shown in the following example.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:[[region]]
:[[accountId]]
:function:[[function1]]
",
"arn:aws:lambda:[[region]]
:[[accountId]]
:function:[[function2]]
"
]
}
]
}