How do I troubleshoot "Neither the global service principal states.amazonaws.com, nor the regional one is authorized to assume the provided role" errors in AWS Step Functions?

2 minute read
0

When I try to run my AWS Step Functions state machine, I receive the following error: "Neither the global service principal states.amazonaws.com, nor the regional one is authorized to assume the provided role." How do I troubleshoot the issue?

Resolution

Verify that the AWS Identity and Access Management (IAM) role that your state machine assumes has the required trust relationships configured

One of the following must be listed as a trusted entity in the IAM role's trust policy:

  • An AWS Regional endpoint: states.<region>.amazonaws.com
  • The AWS global endpoint: states.amazonaws.com

To review and edit the trust policy of the IAM role that your state machine assumes, follow the instructions in Modifying a role trust policy (console). For more information, see How AWS Step Functions works with IAM.

Note: When the StartExecution API action is called, Step Functions uses the IAM role that's associated with the state machine during the duration of the action's runtime. If the IAM role that the state machine assumes is changed during the action's runtime, then the IAM role isn't used on that API action.

Verify that the IAM role that your state machine assumes still exists

1.    Open the Step Functions console.

2.    In the left navigation pane, choose State machines.

3.    Select the name of your state machine.

4.    In the Details section, choose the link under IAM role ARN. If the IAM role exists, the role opens in the IAM console. If the IAM role doesn't exist, the IAM console opens a page that says No Entity Found.

If the IAM role that your state machine assumes doesn't exist, create a new IAM role with a different name that includes the required permissions. Then, configure your state machine to assume the new IAM role that you created. For more information, see How AWS Step Functions works with IAM.

Important: The new IAM role that you create must have a different name than the previous IAM role.

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago