aws:approve
– Pause an
automation for manual approval
Temporarily pauses an automation until designated principals either approve or reject
the action. After the required number of approvals is reached, the automation resumes.
You can insert the approval step any place in the mainSteps
section of your
runbook.
Note
This action doesn't support multi-account and Region automations. The default
timeout for this action is 7 days (604800 seconds) and the maximum value is 30 days
(2592000 seconds). You can limit or extend the timeout by specifying the
timeoutSeconds
parameter for an aws:approve
step.
In the following example, the aws:approve
action temporarily pauses the
automation until one approver either accepts or rejects the automation. Upon approval,
the automation runs a simple PowerShell command.
You can approve or deny Automations that are waiting for approval in the console.
To approve or deny waiting Automations
Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/
. In the navigation pane, choose Automation.
-
Choose the option next to an Automation with a status of Waiting.
-
Choose Approve/Deny.
-
Review the details of the Automation.
-
Choose either Approve or Deny, type an optional comment, and then choose Submit.
Input example
- NotificationArn
-
The Amazon Resource Name (ARN of an Amazon Simple Notification Service (Amazon SNS) topic for Automation approvals. When you specify an
aws:approve
step in a runbook, Automation sends a message to this topic letting principals know that they must either approve or reject an Automation step. The title of the Amazon SNS topic must be prefixed with "Automation".Type: String
Required: No
- Message
-
The information you want to include in the Amazon SNS topic when the approval request is sent. The maximum message length is 4096 characters.
Type: String
Required: No
- MinRequiredApprovals
-
The minimum number of approvals required to resume the automation. If you don't specify a value, the system defaults to one. The value for this parameter must be a positive number. The value for this parameter can't exceed the number of approvers defined by the
Approvers
parameter.Type: Integer
Required: No
- Approvers
-
A list of Amazon authenticated principals who are able to either approve or reject the action. The maximum number of approvers is 10. You can specify principals by using any of the following formats:
-
A user name
-
A user ARN
-
An IAM role ARN
-
An IAM assume role ARN
Type: StringList
Required: Yes
-
- EnhancedApprovals
-
This input is only used for Change Manager templates. A list of Amazon authenticated principals who are able to either approve or reject the action, the type of IAM principal, and the minimum number of approvers. The following is an example:
schemaVersion: "0.3" emergencyChange: false autoApprovable: false mainSteps: - name: ApproveAction1 action: aws:approve timeoutSeconds: 604800 inputs: Message: Please approve this change request MinRequiredApprovals: 3 EnhancedApprovals: Approvers: - approver: John Stiles type: IamUser minRequiredApprovals: 0 - approver: Ana Carolina Silva type: IamUser minRequiredApprovals: 0 - approver: GroupOfThree type: IamGroup minRequiredApprovals: 0 - approver: RoleOfTen type: IamRole minRequiredApprovals: 0
Type: StringList
Required: Yes
Output
- ApprovalStatus
-
The approval status of the step. The status can be one of the following: Approved, Rejected, or Waiting. Waiting means that Automation is waiting for input from approvers.
Type: String
- ApproverDecisions
-
A JSON map that includes the approval decision of each approver.
Type: MapList