AWS policy for step functions: some actions, resources, or conditions do not provide permissions

0

I am editing a policy document to allow Lambda sending TaskSuccess to a step function. A statement below, although granting the right permissions, causes the warning to appear. I need advice if this is a "false positive" warning, or I am actually misconfiguring a policy document.

Statement that causes the warning:

    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": [
        "states:SendTaskSuccess",
        "states:SendTaskFailure"
      ],
      "Resource": "arn:aws:states:eu-central-1:xxxxxxxxxxxx:stateMachine:sample-waiting-step-machine"
    }

Warning text:

This policy defines some actions, resources, or conditions 
that do not provide permissions. To grant access, policies 
must have an action that has an applicable resource or condition. 
For details, choose Show remaining.

Once I tick "show remaining services", the following warning shows up in the table warning

1 Answer
2
Accepted Answer

Hi,

According to the following AWS Github repository issue, you should use Resources: "*" for this policy.

According to https://docs.aws.amazon.com/step-functions/latest/dg/concept-create-iam-advanced.html, Step Function API calls to update task status require "the ARN of the activity or the token of the instance as part of the request". Since the token is provided as an input to the worker Lambda function, I think it's safe to use Resources: "*" for this policy.

profile picture
EXPERT
answered 10 months ago
profile picture
EXPERT
reviewed 13 days ago
profile picture
EXPERT
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions