botocore.exceptions.ClientError:调用CreateStateMachine操作时出错(AccessDeniedException)

Question

当我尝试基于我的状态机定义创建状态机时，我得到了以下错误：

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateStateMachine operation: 'role' is not authorized to create managed-rule.

创建代码：

state_machine = sfn_client.create_state_machine(
    name = 'state-machine',
    definition = state_machine_def,
    roleArn = SFN_ROLE,
)

我使用的IAM角色包含所有必要的权限，如here所述。创建哪种类型的托管规则需要权限？

Answer 1

原因是附加到SFN_ROLE的CloudWatchFullAccess策略没有足够的权限让步骤函数工作流将事件发布到CloudWatch中。一旦我将其替换为CloudWatchEventsFullAccess，一切工作正常。

Answer 2

很可能您没有将正确的策略添加到IAM角色。这是一个来自official documentation的策略，它允许您创建、列出状态机。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:ListStateMachines",
        "states:ListActivities",
        "states:CreateStateMachine",
        "states:CreateActivity"
      ],
      "Resource": [ 
        "arn:aws:states:*:*:*" 
      ]
    },
    {
      "Effect": "Allow",
      "Action": [ 
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam:::role/my-execution-role"
      ]
    }
  ]

Answer 3

问题是这样

{
        "Effect": "Allow",
        "Action": [
            "events:PutTargets",
            "events:PutRule",
            "events:DescribeRule"
        ],
        "Resource": [
           "arn:aws:events:[[region]]:[[accountId]]:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
        ]
    }

根据AWS Step Function nested workflow Execution的说法，您需要为step function角色添加特定规则以侦听和创建事件StepFunctionsGetEventsForStepFunctionsExecutionRule就是您要查找的规则