botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateStateMachine operation

11,962

Solution 1

The reason was that CloudWatchFullAccess policy attached to the SFN_ROLE has not enough permissions for Step Functions workflow to post events into CloudWatch. Once I replaced it with CloudWatchEventsFullAccess everything works ok.

Solution 2

The issue is this

{
        "Effect": "Allow",
        "Action": [
            "events:PutTargets",
            "events:PutRule",
            "events:DescribeRule"
        ],
        "Resource": [
           "arn:aws:events:[[region]]:[[accountId]]:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
        ]
    }

According to AWS Step Function nested workflow Execution, you need to add the specific rule for the step function role to listen and create events StepFunctionsGetEventsForStepFunctionsExecutionRule is the rule you are looking for

Solution 3

Most likely you have missed adding the right policy to the IAM role. Here is a policy from the official documentation that allows you to create, list state machines.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:ListStateMachines",
        "states:ListActivities",
        "states:CreateStateMachine",
        "states:CreateActivity"
      ],
      "Resource": [ 
        "arn:aws:states:*:*:*" 
      ]
    },
    {
      "Effect": "Allow",
      "Action": [ 
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam:::role/my-execution-role"
      ]
    }
  ]
Share:
11,962

Related videos on Youtube

Alex Barysevich
Author by

Alex Barysevich

Updated on June 04, 2022

Comments

  • Alex Barysevich
    Alex Barysevich about 2 years

    I am getting the following error when I try to create a state machine based on my state machine definition:

    botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateStateMachine operation: 'role' is not authorized to create managed-rule.

    The creation code:

    state_machine = sfn_client.create_state_machine(
    name = 'state-machine',
    definition = state_machine_def,
    roleArn = SFN_ROLE,
)

    My IAM role that I use contains all necessary permissions as described here. What kind of managed-rule does it need to have a permission to create?

  • kylevoyto
    kylevoyto about 4 years
    It looks like CloudWatchEventsFullAccess gives the CFN_ROLE full access to CWE "Action": "events:*", "Resource": "*". Were you able to narrow down the exact permissions required?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related