botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateStateMachine operation
Solution 1
The reason was that CloudWatchFullAccess policy attached to the SFN_ROLE has not enough permissions for Step Functions workflow to post events into CloudWatch. Once I replaced it with CloudWatchEventsFullAccess everything works ok.
Solution 2
The issue is this
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]:[[accountId]]:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
]
}
According to AWS Step Function nested workflow Execution, you need to add the specific rule for the step function role to listen and create events StepFunctionsGetEventsForStepFunctionsExecutionRule
is the rule you are looking for
Solution 3
Most likely you have missed adding the right policy to the IAM role. Here is a policy from the official documentation that allows you to create, list state machines.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:ListStateMachines",
"states:ListActivities",
"states:CreateStateMachine",
"states:CreateActivity"
],
"Resource": [
"arn:aws:states:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam:::role/my-execution-role"
]
}
]
Related videos on Youtube
Alex Barysevich
Updated on June 04, 2022Comments
-
Alex Barysevich about 2 years
I am getting the following error when I try to create a state machine based on my state machine definition:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateStateMachine operation: 'role' is not authorized to create managed-rule.
The creation code:
state_machine = sfn_client.create_state_machine( name = 'state-machine', definition = state_machine_def, roleArn = SFN_ROLE, )
My IAM role that I use contains all necessary permissions as described here. What kind of managed-rule does it need to have a permission to create?
-
kylevoyto about 4 yearsIt looks like CloudWatchEventsFullAccess gives the CFN_ROLE full access to CWE "Action": "events:*", "Resource": "*". Were you able to narrow down the exact permissions required?