Invalid security token error when executing nested step function on Step Functions Local

0

Are nested step functions supported on AWS Step Functions Local? I am trying to create 2 step functions, where the outer one executes the inner one. However, when trying to execute the outer step function, getting an error: "The security token included in the request is invalid".

To reproduce, use the latest amazon/aws-stepfunctions-local:1.10.1 Docker image. Launch the container with the following command:

docker run -p 8083:8083 -e AWS_DEFAULT_REGION=us-east-1 -e AWS_ACCESS_KEY_ID=TESTID -e AWS_SECRET_ACCESS_KEY=TESTKEY amazon/aws-stepfunctions-local

Then create a simple HelloWorld inner step function in the Step Functions Local container:

aws stepfunctions --endpoint-url http://localhost:8083 create-state-machine --definition "{\
\"Comment\": \"A Hello World example of the Amazon States Language using a Pass state\",\
\"StartAt\": \"HelloWorld\",\
\"States\": {\
    \"HelloWorld\": {\
    \"Type\": \"Pass\",\
    \"End\": true\
    }\
}}" --name "HelloWorld" --role-arn "arn:aws:iam::012345678901:role/DummyRole"

Then add a simple outer step function that executes the HelloWorld one:

aws stepfunctions --endpoint-url http://localhost:8083 create-state-machine --definition "{\
\"Comment\": \"OuterTestComment\",\
\"StartAt\": \"InnerInvoke\",\
\"States\": {\
    \"InnerInvoke\": {\
    \"Type\": \"Task\",\
    \"Resource\": \"arn:aws:states:::states:startExecution\",\
    \"Parameters\": {\
        \"StateMachineArn\": \"arn:aws:states:us-east-1:123456789012:stateMachine:HelloWorld\"\
    },\
    \"End\": true\
    }\
}}" --name "HelloWorldOuter" --role-arn "arn:aws:iam::012345678901:role/DummyRole"

Finally, start execution of the outer Step Function:

aws stepfunctions --endpoint-url http://localhost:8083 start-execution --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:HelloWorldOuter

The execution fails with the The security token included in the request is invalid error in the logs:

arn:aws:states:us-east-1:123456789012:execution:HelloWorldOuter:b9627a1f-55ed-41a6-9702-43ffe1cacc2c : {"Type":"TaskSubmitFailed","PreviousEventId":4,"TaskSubmitFailedEventDetails":{"ResourceType":"states","Resource":"startExecution","Error":"StepFunctions.AWSStepFunctionsException","Cause":"The security token included in the request is invalid. (Service: AWSStepFunctions; Status Code: 400; Error Code: UnrecognizedClientException; Request ID: ad8a51c0-b8bf-42a0-a78d-a24fea0b7823; Proxy: null)"}}

Am I doing something wrong? Is any additional configuration necessary?

1 Answer
1
Accepted Answer

Hi Andrius, I've been able to reproduce your test case, and to update it to a working example:

docker run -p 8083:8083 -e AWS_DEFAULT_REGION=xx-yyyy-1 -e AWS_ACCESS_KEY_ID=TESTID -e AWS_SECRET_ACCESS_KEY=TESTKEY -e STEP_FUNCTIONS_ENDPOINT=http://localhost:8083 amazon/aws-stepfunctions-local:1.10.1

(two changes from your sample: first the region is purposefully invalid, second and the real solution: the STEP_FUNCTIONS_ENDPOINT environment variable is defined to the service itself)

Then your example works, adjusting for the region:

aws stepfunctions --endpoint-url http://localhost:8083 create-state-machine --definition "{\
\"Comment\": \"A Hello World example of the Amazon States Language using a Pass state\",\
\"StartAt\": \"HelloWorld\",\
\"States\": {\
    \"HelloWorld\": {\
    \"Type\": \"Pass\",\
    \"End\": true\
    }\
}}" --name "HelloWorld" --role-arn "arn:aws:iam::012345678901:role/DummyRole"

aws stepfunctions --endpoint-url http://localhost:8083 create-state-machine --definition "{\
\"Comment\": \"OuterTestComment\",\
\"StartAt\": \"InnerInvoke\",\
\"States\": {\
    \"InnerInvoke\": {\
    \"Type\": \"Task\",\
    \"Resource\": \"arn:aws:states:::states:startExecution\",\
    \"Parameters\": {\
        \"StateMachineArn\": \"arn:aws:states:xx-yyyy-1:123456789012:stateMachine:HelloWorld\"\
    },\
    \"End\": true\
    }\
}}" --name "HelloWorldOuter" --role-arn "arn:aws:iam::012345678901:role/DummyRole"
aws stepfunctions --endpoint-url http://localhost:8083 start-execution --state-machine-arn arn:aws:states:xx-yyyy-1:123456789012:stateMachine:HelloWorldOuter

Now looking at the executions:

aws stepfunctions --endpoint-url http://localhost:8083 list-executions --state-machine-arn arn:aws:states:xx-yyyy-1:123456789012:stateMachine:HelloWorldOuter
{
    "executions": [
        {
            "executionArn": "arn:aws:states:xx-yyyy-1:123456789012:execution:HelloWorldOuter:f2b0c4aa-1b38-4da2-a219-b81b3a40e92e",
            "stateMachineArn": "arn:aws:states:xx-yyyy-1:123456789012:stateMachine:HelloWorldOuter",
            "name": "f2b0c4aa-1b38-4da2-a219-b81b3a40e92e",
            "status": "SUCCEEDED",
            "startDate": 1653908224.187,
            "stopDate": 1653908224.3
        }
    ]
}
 aws stepfunctions --endpoint-url http://localhost:8083 list-executions --state-machine-arn arn:aws:states:xx-yyyy-1:123456789012:stateMachine:HelloWorld
{
    "executions": [
        {
            "executionArn": "arn:aws:states:xx-yyyy-1:123456789012:execution:HelloWorld:5f9e4d20-cbf1-4051-93fd-6c108356d657",
            "stateMachineArn": "arn:aws:states:xx-yyyy-1:123456789012:stateMachine:HelloWorld",
            "name": "5f9e4d20-cbf1-4051-93fd-6c108356d657",
            "status": "SUCCEEDED",
            "startDate": 1653908224.284,
            "stopDate": 1653908224.286
        }
    ]
}

We can observe that the inner execution is contained within the outer.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions