AWS policy for step functions: some actions, resources, or conditions do not provide permissions
I am editing a policy document to allow Lambda sending TaskSuccess to a step function. A statement below, although granting the right permissions, causes the warning to appear. I need advice if this is a "false positive" warning, or I am actually misconfiguring a policy document.
Statement that causes the warning:
{ "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "states:SendTaskSuccess", "states:SendTaskFailure" ], "Resource": "arn:aws:states:eu-central-1:xxxxxxxxxxxx:stateMachine:sample-waiting-step-machine" }
Warning text:
This policy defines some actions, resources, or conditions
that do not provide permissions. To grant access, policies
must have an action that has an applicable resource or condition.
For details, choose Show remaining.
Once I tick "show remaining services", the following warning shows up in the table
- Newest
- Most votes
- Most comments
Hi,
According to the following AWS Github repository issue, you should use Resources: "*" for this policy.
According to https://docs.aws.amazon.com/step-functions/latest/dg/concept-create-iam-advanced.html, Step Function API calls to update task status require "the ARN of the activity or the token of the instance as part of the request". Since the token is provided as an input to the worker Lambda function, I think it's safe to use Resources: "*" for this policy.
Relevant content
- asked a year ago
- asked 7 years ago
- asked a year ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
