I'm using AWS academy which I am not allowed to create IAM role, what I can use is only the LabRole.
I am trying to use lambda function to invoke my step function using StartExecution, but it didn't work. I got the error below from CloudWatch. However, it should work on LabRole.
[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the StartExecution operation: User: arn:aws:sts::051823271855:assumed-role/LabRole/my-s3-function is not authorized to access this resource
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 20, in lambda_handler
input = json.dumps(input))
File "/var/runtime/botocore/client.py", line 391, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/runtime/botocore/client.py", line 719, in _make_api_call
raise error_class(parsed_response, operation_name)
I tried this before, but I can't attach role policy. The error was: Errors attaching policies to the role. Policy AWSStepFunctionsConsoleFullAccess not added. User: arn:aws:sts::051823271855:assumed-role/voclabs/user**** is not authorized to perform: iam:AttachRolePolicy on resource: role LabRole because no identity-based policy allows the iam:AttachRolePolicy action
Thank you so much for your help!
Strange. I d try to add iam:AttachRolePolicy to your user. Most likely will fail because the lab is maybe too restrictive. Do you have an option to restart the lab (destroy and redo)?
I can restart the lab but it didn't help. I found the LabRole of my TA is the same as mine. Do you have any suggestions about connect S3 with step function? I tried EventBridge before, but it also didn't work because of the LabRole.
But did you manage to execute the step function from lambda?
Is the s3 question related to this problem or is another one. You would need to elaborate it a bit either here or in a new question depending on it
Yes, I used stepFunction.start_execution( stateMachineArn='arn:aws:states:XXXXXXXXXXXXXXXX:stateMachine:my-state-machine',...) from my lambda.