Invalid security token error when executing nested step function on Step Functions Local

Question

Are nested step functions supported on AWS Step Functions Local? I am trying to create 2 step functions, where the outer one executes the inner one. However, when trying to execute the outer step function, getting an error: "The security token included in the request is invalid".

To reproduce, use the latest `amazon/aws-stepfunctions-local:1.10.1` Docker image. Launch the container with the following command:
```sh
docker run -p 8083:8083 -e AWS_DEFAULT_REGION=us-east-1 -e AWS_ACCESS_KEY_ID=TESTID -e AWS_SECRET_ACCESS_KEY=TESTKEY amazon/aws-stepfunctions-local
```

Then create a simple HelloWorld _inner_ step function in the Step Functions Local container:
```sh
aws stepfunctions --endpoint-url http://localhost:8083 create-state-machine --definition "{\
\"Comment\": \"A Hello World example of the Amazon States Language using a Pass state\",\
\"StartAt\": \"HelloWorld\",\
\"States\": {\
    \"HelloWorld\": {\
    \"Type\": \"Pass\",\
    \"End\": true\
    }\
}}" --name "HelloWorld" --role-arn "arn:aws:iam::012345678901:role/DummyRole"
```

Then add a simple _outer_ step function that executes the HelloWorld one:
```sh
aws stepfunctions --endpoint-url http://localhost:8083 create-state-machine --definition "{\
\"Comment\": \"OuterTestComment\",\
\"StartAt\": \"InnerInvoke\",\
\"States\": {\
    \"InnerInvoke\": {\
    \"Type\": \"Task\",\
    \"Resource\": \"arn:aws:states:::states:startExecution\",\
    \"Parameters\": {\
        \"StateMachineArn\": \"arn:aws:states:us-east-1:123456789012:stateMachine:HelloWorld\"\
    },\
    \"End\": true\
    }\
}}" --name "HelloWorldOuter" --role-arn "arn:aws:iam::012345678901:role/DummyRole"
```

Finally, start execution of the outer Step Function:
```sh
aws stepfunctions --endpoint-url http://localhost:8083 start-execution --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:HelloWorldOuter
```

The execution fails with the _The security token included in the request is invalid_ error in the logs:
```
arn:aws:states:us-east-1:123456789012:execution:HelloWorldOuter:b9627a1f-55ed-41a6-9702-43ffe1cacc2c : {"Type":"TaskSubmitFailed","PreviousEventId":4,"TaskSubmitFailedEventDetails":{"ResourceType":"states","Resource":"startExecution","Error":"StepFunctions.AWSStepFunctionsException","Cause":"The security token included in the request is invalid. (Service: AWSStepFunctions; Status Code: 400; Error Code: UnrecognizedClientException; Request ID: ad8a51c0-b8bf-42a0-a78d-a24fea0b7823; Proxy: null)"}}
```

Am I doing something wrong? Is any additional configuration necessary?

Accepted Answer

Hi Andrius,
I've been able to reproduce your test case, and to update it to a working example:

```
docker run -p 8083:8083 -e AWS_DEFAULT_REGION=xx-yyyy-1 -e AWS_ACCESS_KEY_ID=TESTID -e AWS_SECRET_ACCESS_KEY=TESTKEY -e STEP_FUNCTIONS_ENDPOINT=http://localhost:8083 amazon/aws-stepfunctions-local:1.10.1
```
(two changes from your sample: first the region is purposefully invalid, second and the real solution: the `STEP_FUNCTIONS_ENDPOINT` environment variable is defined to the service itself)

Then your example works, adjusting for the region:
```
aws stepfunctions --endpoint-url http://localhost:8083 create-state-machine --definition "{\
\"Comment\": \"A Hello World example of the Amazon States Language using a Pass state\",\
\"StartAt\": \"HelloWorld\",\
\"States\": {\
    \"HelloWorld\": {\
    \"Type\": \"Pass\",\
    \"End\": true\
    }\
}}" --name "HelloWorld" --role-arn "arn:aws:iam::012345678901:role/DummyRole"

aws stepfunctions --endpoint-url http://localhost:8083 create-state-machine --definition "{\
\"Comment\": \"OuterTestComment\",\
\"StartAt\": \"InnerInvoke\",\
\"States\": {\
    \"InnerInvoke\": {\
    \"Type\": \"Task\",\
    \"Resource\": \"arn:aws:states:::states:startExecution\",\
    \"Parameters\": {\
        \"StateMachineArn\": \"arn:aws:states:xx-yyyy-1:123456789012:stateMachine:HelloWorld\"\
    },\
    \"End\": true\
    }\
}}" --name "HelloWorldOuter" --role-arn "arn:aws:iam::012345678901:role/DummyRole"
```

```
aws stepfunctions --endpoint-url http://localhost:8083 start-execution --state-machine-arn arn:aws:states:xx-yyyy-1:123456789012:stateMachine:HelloWorldOuter
```

Now looking at the executions:

```
aws stepfunctions --endpoint-url http://localhost:8083 list-executions --state-machine-arn arn:aws:states:xx-yyyy-1:123456789012:stateMachine:HelloWorldOuter
{
    "executions": [
        {
            "executionArn": "arn:aws:states:xx-yyyy-1:123456789012:execution:HelloWorldOuter:f2b0c4aa-1b38-4da2-a219-b81b3a40e92e",
            "stateMachineArn": "arn:aws:states:xx-yyyy-1:123456789012:stateMachine:HelloWorldOuter",
            "name": "f2b0c4aa-1b38-4da2-a219-b81b3a40e92e",
            "status": "SUCCEEDED",
            "startDate": 1653908224.187,
            "stopDate": 1653908224.3
        }
    ]
}
 aws stepfunctions --endpoint-url http://localhost:8083 list-executions --state-machine-arn arn:aws:states:xx-yyyy-1:123456789012:stateMachine:HelloWorld
{
    "executions": [
        {
            "executionArn": "arn:aws:states:xx-yyyy-1:123456789012:execution:HelloWorld:5f9e4d20-cbf1-4051-93fd-6c108356d657",
            "stateMachineArn": "arn:aws:states:xx-yyyy-1:123456789012:stateMachine:HelloWorld",
            "name": "5f9e4d20-cbf1-4051-93fd-6c108356d657",
            "status": "SUCCEEDED",
            "startDate": 1653908224.284,
            "stopDate": 1653908224.286
        }
    ]
}
```
We can observe that the inner execution is contained within the outer.

Invalid security token error when executing nested step function on Step Functions Local

Relevanter Inhalt