Cross-Account Step Functions Callback Issue
I have a step function in account A that invokes another step function in account B. The step function in account A is waiting for the callback but im having issues in receiving the task success from the step function in account B. This is the lambda code in account B that is trying to send back the success of the task:
result = stepfunctions.send_task_success(**params)
Error I'm getting: an error occurred (AccessDeniedException) when calling the SendTaskSuccess operation: User is not authorized to access this resource.
Can someone give me a step-by-step guide to fix this issue?
Thanks!
- Newest
- Most votes
- Most comments
To ensure seamless interaction between accounts A and B, follow these steps:
- Create Role in Account B: Establish a role within account B that permits account A to assume it as a trusted entity. Additionally, grant this role permissions to execute actions on the lambda function within account B.
- Create Role in Account A: Set up a role within account A, allowing it to assume the role defined in account B as a trusted entity.
This configuration establishes the following relationship:
Role A ==> Role B ==> Perform action over lambda in B
The "Access Denied" exception arises when the role in Account B lacks the requisite permissions to execute actions on the lambda function.
Here are examples of roles in both accounts with their trusted entities:
Policy in Account A:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::987654321098:role/LambdaExecutionRole"
},
"Action": "sts:AssumeRole"
}
]
}
Policy in Account B:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/CrossAccountRole"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"states:SendTaskSuccess"
],
"Resource": [
"arn:aws:lambda:region:123456789012:function:my-function",
"arn:aws:states:region:account-id:stateMachine:state-machine-name"
]
}
]
}
Hi, In order the Lambda function to invoke actions in Account A, it needs to assume a role in Account A that gives it permissions to call Step Functions actions in account A. The IAM role in Account A needs to have the required permissions and a trust relationship policy that allows the IAM role in account B to assume it. Lambda function in Account B must include code to use STS tu assume the role in account A and get temporary credentials that allows it to use resources defined in Account A (step functions). Once get temporary credentials, use those credentials to send the task success for the step function in Account A. Please check the following re:Post as reference https://repost.aws/knowledge-center/lambda-function-assume-iam-role
Hello,
Verify the IAM execution role used by the Lambda function has the correct permissions to call sendTaskSuccess on the Step Function in account A. It will need sfn: SendTaskSuccess permissions Also check below link ---- https://docs.aws.amazon.com/step-functions/latest/dg/troubleshooting-service-integrations.html
Hi,
I'd strongly suggest to read the following 2 blog posts to get your implementation working as they provide answers to your questions:
- https://aws.amazon.com/blogs/compute/running-cross-account-workflows-with-aws-step-functions-and-amazon-api-gateway/
- https://aws.amazon.com/blogs/compute/introducing-cross-account-access-capabilities-for-aws-step-functions/
Best,
Didier
Relevant content
- asked 2 months ago
- asked 10 months ago
- asked 10 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
