InvalidArn error specific to StepFunctionsLocal - not reproducible in 'live' AWS stepfunctions
Minimum reproduction:
Create a state machine, with a singular step with resource arn:aws:states:::states:startExecution.sync
, i.e. executing another state machine, and define the arn using Fn::GetAtt
function.
When executing the parent state machine in Step Functions Local:
Invalid Arn: '{"Fn::GetAtt":["ChildStateMachineId","Arn"]}' (Service: AWSStepFunctions; Status Code: 400; Error Code: InvalidArn; Request ID: null; Proxy: null)
What happens when exeucuting the parent in 'live' AWS stepfunctions console:
ExecutionSucceeded
Template for an example state machine to reproduce (in yml for brevity):
AWSTemplateFormatVersion: 2010-09-09
Description: The AWS CloudFormation template for this Serverless application
Resources:
ServerlessDeploymentBucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
ServerlessDeploymentBucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref ServerlessDeploymentBucket
PolicyDocument:
Statement:
- Action: 's3:*'
Effect: Deny
Principal: '*'
Resource:
- !Join
- ''
- - 'arn:'
- !Ref 'AWS::Partition'
- ':s3:::'
- !Ref ServerlessDeploymentBucket
- /*
- !Join
- ''
- - 'arn:'
- !Ref 'AWS::Partition'
- ':s3:::'
- !Ref ServerlessDeploymentBucket
Condition:
Bool:
'aws:SecureTransport': false
ParentStateMachineIdRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: !Sub 'states.${AWS::Region}.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: dev-stepfunctions-statemachine
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'states:StartExecution'
Resource:
- !GetAtt
- ChildStateMachineId
- Arn
- Effect: Allow
Action:
- 'states:DescribeExecution'
- 'states:StopExecution'
Resource: '*'
- Effect: Allow
Action:
- 'events:PutTargets'
- 'events:PutRule'
- 'events:DescribeRule'
Resource:
- !Sub
- >-
arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule
- {}
ChildStateMachineIdRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: !Sub 'states.${AWS::Region}.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: dev-stepfunctions-statemachine
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Deny
Action: '*'
Resource: '*'
ParentStateMachineId:
Type: 'AWS::StepFunctions::StateMachine'
Properties:
DefinitionString: !Sub
- |-
{
"StartAt": "StartChildStateMachine",
"States": {
"StartChildStateMachine": {
"Type": "Task",
"Resource": "arn:aws:states:::states:startExecution.sync",
"Parameters": {
"StateMachineArn": "${1e6e8813e9805d9988de892f7ee7123c}",
"Input": {
"NeedCallback": false
}
},
"End": true,
"ResultPath": "$.StartChildStateMachine"
}
}
}
- 1e6e8813e9805d9988de892f7ee7123c: !GetAtt
- ChildStateMachineId
- Arn
RoleArn: !GetAtt
- ParentStateMachineIdRole
- Arn
StateMachineName: ParentStateMachine
DependsOn:
- ParentStateMachineIdRole
ChildStateMachineId:
Type: 'AWS::StepFunctions::StateMachine'
Properties:
DefinitionString: |-
{
"StartAt": "ChildDone",
"States": {
"ChildDone": {
"Type": "Succeed"
}
}
}
RoleArn: !GetAtt
- ChildStateMachineIdRole
- Arn
StateMachineName: ChildStateMachine
DependsOn:
- ChildStateMachineIdRole
Outputs:
ServerlessDeploymentBucketName:
Value: !Ref ServerlessDeploymentBucket
Export:
Name: sls-stepfunctions-dev-ServerlessDeploymentBucketName
ParentStateMachineIdArn:
Description: Current StateMachine Arn
Value: !Ref ParentStateMachineId
Export:
Name: sls-stepfunctions-dev-ParentStateMachineIdArn
ChildStateMachineIdArn:
Description: Current StateMachine Arn
Value: !Ref ChildStateMachineId
Export:
Name: sls-stepfunctions-dev-ChildStateMachineIdArn
Output of aws stepfunctions --endpoint http: //localhost:8083 describe-state-machine --state-machine-arn arn:aws:states:eu-north-1:101010101010:stateMachine:ParentStateMachine
{
"stateMachineArn": "arn:aws:states:eu-north-1:101010101010:stateMachine:ParentStateMachine",
"name": "ParentStateMachine",
"status": "ACTIVE",
"definition": "{\"StartAt\":\"StartChildStateMachine\",\"States\":{\"StartChildStateMachine\":{\"Type\":\"Task\",\"Resource\":\"arn:aws:states:::states:startExecution.sync\",\"Parameters\":{\"StateMachineArn\":{\"Fn::GetAtt\":[\"ChildStateMachineId\",\"Arn\"]},\"Input\":{\"NeedCallback\":false}},\"End\":true,\"ResultPath\":\"$.StartChildStateMachine\"}}}",
"roleArn": "arn:aws:iam::101010101010:role/DummyRole",
"type": "STANDARD",
"creationDate": "2023-09-18T14:09:40.648000+02:00"
}
- Mais recentes
- Mais votos
- Mais comentários
Hi,
By default, Step Functions Local uses a local test account and credentials, so in order to interact with other supported services, you need to configure your credentials and other configuration options first. Could that be the problem? If so, take a look at the following link which describes how to do it for both the JAR and Docker.
Conteúdo relevante
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 3 anos
Thank you for taking a look into it, still looks like a bug in SF Local. The reason is because once I replace
StateMachineArn
with hardcoded Arn, likearn:aws:states:eu-north-1:101010101010:stateMachine:ChildStateMachine
, and start execution of the parent state machine from CLI , then follow up with describe execution for the resulting execution Arn - I get "status": "SUCCEEDED". So my setup seems fine, I am able to connect to SF Local and start successful execution, it just works with hardcoded Arn, doesn't resolveGetAtt
Arn in SF Local, yet does resolve it correctly on AWS.