By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

lambda function cannot invoke step function using LabRole on AWS academy

0

I'm using AWS academy which I am not allowed to create IAM role, what I can use is only the LabRole.

I am trying to use lambda function to invoke my step function using StartExecution, but it didn't work. I got the error below from CloudWatch. However, it should work on LabRole.

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the StartExecution operation: User: arn:aws:sts::051823271855:assumed-role/LabRole/my-s3-function is not authorized to access this resource Traceback (most recent call last):   File "/var/task/lambda_function.py", line 20, in lambda_handler     input = json.dumps(input))   File "/var/runtime/botocore/client.py", line 391, in _api_call     return self._make_api_call(operation_name, kwargs)   File "/var/runtime/botocore/client.py", line 719, in _make_api_call     raise error_class(parsed_response, operation_name)

Topics
ServerlessApplication IntegrationCompute
Tags
AWS Step FunctionsAWS LambdaAWS Academy
Language
English
Wendy
asked a year ago297 views
1 Answer
0

Hi Wendy,

Are you able to attach a custom policy to the Lab role as described here? https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-console.html (Modifying a role permissions policy (console)).

Then you can select step function start execution and associate it with a resource arn.

Hope it helps ;)

profile picture
EXPERT
Antonio_Lagrotteria
answered a year ago
  • Wendy
    a year ago

    I tried this before, but I can't attach role policy. The error was: Errors attaching policies to the role. Policy AWSStepFunctionsConsoleFullAccess not added. User: arn:aws:sts::051823271855:assumed-role/voclabs/user**** is not authorized to perform: iam:AttachRolePolicy on resource: role LabRole because no identity-based policy allows the iam:AttachRolePolicy action

    Thank you so much for your help!

  • Antonio_Lagrotteria EXPERT
    a year ago

    Strange. I d try to add iam:AttachRolePolicy to your user. Most likely will fail because the lab is maybe too restrictive. Do you have an option to restart the lab (destroy and redo)?

  • Wendy
    a year ago

    I can restart the lab but it didn't help. I found the LabRole of my TA is the same as mine. Do you have any suggestions about connect S3 with step function? I tried EventBridge before, but it also didn't work because of the LabRole.

  • Antonio_Lagrotteria EXPERT
    a year ago

    But did you manage to execute the step function from lambda?

    Is the s3 question related to this problem or is another one. You would need to elaborate it a bit either here or in a new question depending on it

  • Wendy
    a year ago

    Yes, I used stepFunction.start_execution( stateMachineArn='arn:aws:states:XXXXXXXXXXXXXXXX:stateMachine:my-state-machine',...) from my lambda.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content