Creating an IAM role for your state machine in Step Functions
Amazon Step Functions can execute code and access Amazon resources (such as invoking an Amazon Lambda function). To maintain security, you must grant Step Functions access to those resources by using an IAM role.
The Tutorials for learning Step Functions in this guide enable you to take advantage of automatically generated IAM roles that are valid for the Amazon Region in which you create the state machine. However, you can create your own IAM role for a state machine.
When creating an IAM policy for your state machines to use, the policy should include the permissions that you would like the state machines to assume. You can use an existing Amazon managed policy as an example or you can create a custom policy from scratch that meets your specific needs. For more information, see Creating IAM policies in the IAM User Guide
To create your own IAM role for a state machine, follow the steps in this section.
In this example, you create an IAM role with permission to invoke a Lambda function.
Create a role for Step Functions
-
Sign in to the IAM console
, and then choose Roles, Create role. -
On the Select trusted entity page, under Amazon service, select Step Functions from the list, and then choose Next: Permissions.
-
On the Attached permissions policy page, choose Next: Review.
-
On the Review page, enter
StepFunctionsLambdaRole
for Role Name, and then choose Create role.The IAM role appears in the list of roles.
For more information about IAM permissions and policies, see Access Management in the IAM User Guide.
Prevent cross-service confused deputy issue
The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In Amazon, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the calling service) calls another service (the called service). This type of impersonation can happen cross-account and cross-service. The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access.
To prevent confused deputies, Amazon provides tools that help you protect your data for all services with service principals that have been given access to resources in your account. This section focuses on cross-service confused deputy prevention specific to Amazon Step Functions; however, you can learn more about this topic in the confused deputy problem section of the IAM User Guide.
We recommend using the aws:SourceArn
and aws:SourceAccount
global condition context keys in resource policies to limit the permissions that Step Functions gives another service to access your resources. Use aws:SourceArn
if you want only one resource to be associated with the cross-service access. Use aws:SourceAccount
if you want to allow any resource in that account to be associated with the cross-service use.
The most effective way to protect against the confused deputy problem is to use the aws:SourceArn
global condition
context key with the full ARN of the resource. If you don’t know the full ARN of the resource, or if you're specifying multiple resources, use the
aws:SourceArn
global context condition key with wildcard characters (*
) for the unknown portions of the ARN. For
example, arn:aws-cn:states:*:111122223333:*
.
Here's an example of a trusted policy that shows how you can use aws:SourceArn
and
aws:SourceAccount
with Step Functions to prevent the confused deputy issue.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":[ "states.amazonaws.com" ] }, "Action":"sts:AssumeRole", "Condition":{ "ArnLike":{ "aws:SourceArn":"arn:aws-cn:states:us-east-1:111122223333:stateMachine:*" }, "StringEquals":{ "aws:SourceAccount":"111122223333" } } } ] }
Attach an Inline Policy
Step Functions can control other services directly in a Task
state. Attach inline policies
to allow Step Functions to access the API actions of the services you need to control.
-
Open the IAM console
, choose Roles, search for your Step Functions role, and select that role. -
Select Add inline policy.
-
Use the Visual editor or the JSON tab to create policies for your role.
For more information about how Amazon Step Functions can control other Amazon services, see Integrating services with Step Functions.
Note
For examples of IAM policies created by the Step Functions console, see How Step Functions generates IAM policies for integrated services.