Troubleshooting service integrations
My job is complete in the downstream service, but in Step Functions the task state remains "In progress" or its completion is delayed.
For .sync service integration patterns, Step Functions uses EventBridge rules, downstream
APIs, or a combination of both to detect the downstream job status. For some services,
Step Functions does not create EventBridge rules to monitor. For example, for the Amazon Glue service
integration, instead of using EventBridge rules, Step Functions makes a glue:GetJobRun
call. Because of the frequency of API calls, there is a difference between the
downstream task completion and the Step Functions task completion time. Step Functions requires IAM
permissions to manage the EventBridge rules and to make calls to the downstream service. For
more details about how insufficient permissions on your execution role can affect the
completion of tasks, see Additional permissions for tasks using the Run
a Job pattern.
I want to return a JSON output from a nested state machine execution.
There are two Step Functions synchronous service integrations for Step Functions:
startExecution.sync and startExecution.sync:2. Both wait
for the nested state machine to complete, but they return different Output
formats. You can use startExecution.sync:2 to return a JSON output under
Output.
I can't invoke a Lambda function from another account.
Accessing the Lambda function with cross-account support
If cross-account access of Amazon resources is available in your Region, use the following method to invoke a Lambda function from another account.
To invoke a cross-account resource in your workflows, do the following:
Create an IAM role in the target account that contains the resource. This role grants the source account, containing the state machine, permissions to access the target account's resources.
In the
Taskstate's definition, specify the target IAM role to be assumed by the state machine before invoking the cross-account resource.Modify the trust policy in the target IAM role to allow the source account to assume this role temporarily. The trust policy must include the Amazon Resource Name (ARN) of the state machine defined in the source account. Also, define the appropriate permissions in the target IAM role to call the Amazon resource.
Update the source account’s execution role to include the required permission for assuming the target IAM role.
For an example, see Tutorial: Accessing cross-account Amazon resources.
Note
You can configure your state machine to assume an IAM role for accessing resources from multiple Amazon Web Services accounts. However, a state machine can assume only one IAM role at a given time.
For an example of a Task state definition that specifies a cross-account resource, see .
Accessing the Lambda function without cross-account support
If cross-account access of Amazon resources is unavailable in your Region, use the following method to invoke a Lambda function from another account.
In the Task state’s Resource field, use
arn:aws:states:::lambda:invoke and pass the FunctionArn in
parameters. The IAM role that is associated with the state machine must have the right
permissions to invoke cross-account Lambda functions: lambda:invokeFunction.
{ "StartAt":"CallLambda", "States":{ "CallLambda":{ "Type":"Task", "Resource":"arn:aws:states:::lambda:invoke", "Parameters":{ "FunctionName":"arn:aws:lambda:us-west-2:123456789012:function:my-function" }, "End":true } } }
I'm unable to
see task tokens passed from .waitForTaskToken states.
In the Task state’s Parameters field, you must pass a task
token. For example, you could use something similar to the following code.
{ "StartAt":"taskToken", "States":{ "taskToken":{ "Type":"Task", "Resource":"arn:aws:states:::lambda:invoke.waitForTaskToken", "Parameters":{ "FunctionName":"get-model-review-decision", "Payload":{ "token.$":"$$.Task.Token" }, }, "End":true } } }
Note
You can try to use .waitForTaskToken with any API action. However,
some APIs don't have any suitable parameters.