By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

InvalidArn error specific to StepFunctionsLocal - not reproducible in 'live' AWS stepfunctions

0

Minimum reproduction:

Create a state machine, with a singular step with resource arn:aws:states:::states:startExecution.sync, i.e. executing another state machine, and define the arn using Fn::GetAtt function.

When executing the parent state machine in Step Functions Local:

Invalid Arn: '{"Fn::GetAtt":["ChildStateMachineId","Arn"]}' (Service: AWSStepFunctions; Status Code: 400; Error Code: InvalidArn; Request ID: null; Proxy: null)

What happens when exeucuting the parent in 'live' AWS stepfunctions console:

ExecutionSucceeded

Template for an example state machine to reproduce (in yml for brevity):

AWSTemplateFormatVersion: 2010-09-09
Description: The AWS CloudFormation template for this Serverless application
Resources:
  ServerlessDeploymentBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
  ServerlessDeploymentBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref ServerlessDeploymentBucket
      PolicyDocument:
        Statement:
          - Action: 's3:*'
            Effect: Deny
            Principal: '*'
            Resource:
              - !Join 
                - ''
                - - 'arn:'
                  - !Ref 'AWS::Partition'
                  - ':s3:::'
                  - !Ref ServerlessDeploymentBucket
                  - /*
              - !Join 
                - ''
                - - 'arn:'
                  - !Ref 'AWS::Partition'
                  - ':s3:::'
                  - !Ref ServerlessDeploymentBucket
            Condition:
              Bool:
                'aws:SecureTransport': false
  ParentStateMachineIdRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub 'states.${AWS::Region}.amazonaws.com'
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: dev-stepfunctions-statemachine
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'states:StartExecution'
                Resource:
                  - !GetAtt 
                    - ChildStateMachineId
                    - Arn
              - Effect: Allow
                Action:
                  - 'states:DescribeExecution'
                  - 'states:StopExecution'
                Resource: '*'
              - Effect: Allow
                Action:
                  - 'events:PutTargets'
                  - 'events:PutRule'
                  - 'events:DescribeRule'
                Resource:
                  - !Sub 
                    - >-
                      arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule
                    - {}
  ChildStateMachineIdRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: !Sub 'states.${AWS::Region}.amazonaws.com'
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: dev-stepfunctions-statemachine
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Deny
                Action: '*'
                Resource: '*'
  ParentStateMachineId:
    Type: 'AWS::StepFunctions::StateMachine'
    Properties:
      DefinitionString: !Sub 
        - |-
          {
            "StartAt": "StartChildStateMachine",
            "States": {
              "StartChildStateMachine": {
                "Type": "Task",
                "Resource": "arn:aws:states:::states:startExecution.sync",
                "Parameters": {
                  "StateMachineArn": "${1e6e8813e9805d9988de892f7ee7123c}",
                  "Input": {
                    "NeedCallback": false
                  }
                },
                "End": true,
                "ResultPath": "$.StartChildStateMachine"
              }
            }
          }
        - 1e6e8813e9805d9988de892f7ee7123c: !GetAtt 
            - ChildStateMachineId
            - Arn
      RoleArn: !GetAtt 
        - ParentStateMachineIdRole
        - Arn
      StateMachineName: ParentStateMachine
    DependsOn:
      - ParentStateMachineIdRole
  ChildStateMachineId:
    Type: 'AWS::StepFunctions::StateMachine'
    Properties:
      DefinitionString: |-
        {
          "StartAt": "ChildDone",
          "States": {
            "ChildDone": {
              "Type": "Succeed"
            }
          }
        }
      RoleArn: !GetAtt 
        - ChildStateMachineIdRole
        - Arn
      StateMachineName: ChildStateMachine
    DependsOn:
      - ChildStateMachineIdRole
Outputs:
  ServerlessDeploymentBucketName:
    Value: !Ref ServerlessDeploymentBucket
    Export:
      Name: sls-stepfunctions-dev-ServerlessDeploymentBucketName
  ParentStateMachineIdArn:
    Description: Current StateMachine Arn
    Value: !Ref ParentStateMachineId
    Export:
      Name: sls-stepfunctions-dev-ParentStateMachineIdArn
  ChildStateMachineIdArn:
    Description: Current StateMachine Arn
    Value: !Ref ChildStateMachineId
    Export:
      Name: sls-stepfunctions-dev-ChildStateMachineIdArn

Output of aws stepfunctions --endpoint http: //localhost:8083 describe-state-machine --state-machine-arn arn:aws:states:eu-north-1:101010101010:stateMachine:ParentStateMachine

{
    "stateMachineArn": "arn:aws:states:eu-north-1:101010101010:stateMachine:ParentStateMachine",
    "name": "ParentStateMachine",
    "status": "ACTIVE",
    "definition": "{\"StartAt\":\"StartChildStateMachine\",\"States\":{\"StartChildStateMachine\":{\"Type\":\"Task\",\"Resource\":\"arn:aws:states:::states:startExecution.sync\",\"Parameters\":{\"StateMachineArn\":{\"Fn::GetAtt\":[\"ChildStateMachineId\",\"Arn\"]},\"Input\":{\"NeedCallback\":false}},\"End\":true,\"ResultPath\":\"$.StartChildStateMachine\"}}}",
    "roleArn": "arn:aws:iam::101010101010:role/DummyRole",
    "type": "STANDARD",
    "creationDate": "2023-09-18T14:09:40.648000+02:00"
}
Topics
ServerlessApplication IntegrationDeveloper Tools
Tags
AWS Step FunctionsDeveloper Tools
Language
English
Slawoj
asked 7 months ago353 views
1 Answer
-1

Hi,

By default, Step Functions Local uses a local test account and credentials, so in order to interact with other supported services, you need to configure your credentials and other configuration options first. Could that be the problem? If so, take a look at the following link which describes how to do it for both the JAR and Docker.

profile picture
EXPERT
Mikel Del Tio
answered 7 months ago
  • Slawoj
    7 months ago

    Thank you for taking a look into it, still looks like a bug in SF Local. The reason is because once I replace StateMachineArn with hardcoded Arn, like arn:aws:states:eu-north-1:101010101010:stateMachine:ChildStateMachine, and start execution of the parent state machine from CLI , then follow up with describe execution for the resulting execution Arn - I get "status": "SUCCEEDED". So my setup seems fine, I am able to connect to SF Local and start successful execution, it just works with hardcoded Arn, doesn't resolve GetAtt Arn in SF Local, yet does resolve it correctly on AWS.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content