How Amazon Step Functions Works with IAM - Amazon Step Functions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

How Amazon Step Functions Works with IAM

Amazon Step Functions can execute code and access Amazon resources (such as invoking an Amazon Lambda function). To maintain security, you must grant Step Functions access to those resources by using an IAM role.

The Tutorials for Step Functions in this guide enable you to take advantage of automatically generated IAM roles that are valid for the Amazon Region in which you create the state machine. To create your own IAM role for a state machine, follow the steps in this section.

In this example, you create an IAM role with permission to invoke a Lambda function.

Create a role for Step Functions

  1. Sign in to the IAM console, and then choose Roles, Create role.

  2. On the Select type of trusted entity page, under Amazon service, select Step Functions from the list, and then choose Next: Permissions.

  3. On the Attached permissions policy page, choose Next: Review.

  4. On the Review page, enter StepFunctionsLambdaRole for Role Name, and then choose Create role.

    The IAM role appears in the list of roles.

For more information about IAM permissions and policies, see Access Management in the IAM User Guide.

Attach an Inline Policy

Step Functions can control other services directly in a task state. Attach inline policies to allow Step Functions to access the API actions of the services you need to control.

  1. Open the IAM console, choose Roles, search for your Step Functions role, and select that role.

  2. Select Add inline policy.

  3. Use the Visual editor or the JSON tab to create policies for your role.

For more information about how Amazon Step Functions can control other Amazon services, see Using Amazon Step Functions with other services.

Note

For examples of IAM policies created by the Step Functions console, see IAM Policies for integrated services.