Creating an IAM role for your state machine - Amazon Step Functions
Create a role for Step FunctionsPrevent cross-service confused deputy issueAttach an Inline Policy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating an IAM role for your state machine

Amazon Step Functions can execute code and access Amazon resources (such as invoking an Amazon Lambda function). To maintain security, you must grant Step Functions access to those resources by using an IAM role.

The Tutorials for Step Functions in this guide enable you to take advantage of automatically generated IAM roles that are valid for the Amazon Region in which you create the state machine. However, you can create your own IAM role for a state machine.

When creating an IAM policy for your state machines to use, the policy should include the permissions that you would like the state machines to assume. You can use an existing Amazon managed policy as an example or you can create a custom policy from scratch that meets your specific needs. For more information, see Creating IAM policies in the IAM User Guide

To create your own IAM role for a state machine, follow the steps in this section.

In this example, you create an IAM role with permission to invoke a Lambda function.

Create a role for Step Functions

  1. Sign in to the IAM console, and then choose Roles, Create role.

  2. On the Select trusted entity page, under Amazon service, select Step Functions from the list, and then choose Next: Permissions.

  3. On the Attached permissions policy page, choose Next: Review.

  4. On the Review page, enter StepFunctionsLambdaRole for Role Name, and then choose Create role.

    The IAM role appears in the list of roles.

For more information about IAM permissions and policies, see Access Management in the IAM User Guide.

Prevent cross-service confused deputy issue

The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In Amazon, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the calling service) calls another service (the called service). This type of impersonation can happen cross-account and cross-service. The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access.

To prevent confused deputies, Amazon provides tools that help you protect your data for all services with service principals that have been given access to resources in your account. This section focuses on cross-service confused deputy prevention specific to Amazon Step Functions; however, you can learn more about this topic in the confused deputy problem section of the IAM User Guide.

We recommend using the aws:SourceArn and aws:SourceAccount global condition context keys in resource policies to limit the permissions that Step Functions gives another service to access your resources. Use aws:SourceArn if you want only one resource to be associated with the cross-service access. Use aws:SourceAccount if you want to allow any resource in that account to be associated with the cross-service use.

The most effective way to protect against the confused deputy problem is to use the aws:SourceArn global condition context key with the full ARN of the resource. If you don’t know the full ARN of the resource, or if you're specifying multiple resources, use the aws:SourceArn global context condition key with wildcard characters (*) for the unknown portions of the ARN. For example, arn:aws-cn:states:*:111122223333:*.

Here's an example of a trusted policy that shows how you can use aws:SourceArn and aws:SourceAccount with Step Functions to prevent the confused deputy issue.

{
  "Version":"2012-10-17",
  "Statement":[
     {
        "Effect":"Allow",
        "Principal":{
           "Service":[
              "states.amazonaws.com"
           ]
        },
        "Action":"sts:AssumeRole",
        "Condition":{
           "ArnLike":{
              "aws:SourceArn":"arn:aws-cn:states:us-east-1:111122223333:stateMachine:*"
           },
           "StringEquals":{
              "aws:SourceAccount":"111122223333"
           }
        }
     }
  ]
}

Attach an Inline Policy

Step Functions can control other services directly in a Task state. Attach inline policies to allow Step Functions to access the API actions of the services you need to control.

  1. Open the IAM console, choose Roles, search for your Step Functions role, and select that role.

  2. Select Add inline policy.

  3. Use the Visual editor or the JSON tab to create policies for your role.

For more information about how Amazon Step Functions can control other Amazon services, see Using Amazon Step Functions with other services.

Note

For examples of IAM policies created by the Step Functions console, see IAM Policies for integrated services.