当我尝试根据我的状态机定义创建状态机时,出现以下错误:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateStateMachine operation: 'role' is not authorized to create managed-rule.
创建代码:
state_machine = sfn_client.create_state_machine(
name = 'state-machine',
definition = state_machine_def,
roleArn = SFN_ROLE,
)
我使用的 IAM 角色包含此处所述的所有必要权限。什么样的托管规则需要有创建权限?
原因是附加到 SFN_ROLE 的 CloudWatchFullAccess 策略没有足够的权限让 Step Functions 工作流将事件发布到 CloudWatch。一旦我将其替换为 CloudWatchEventsFullAccess 一切正常。
问题是这样的
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]:[[accountId]]:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
]
}
根据AWS Step Function 嵌套工作流执行,您需要添加 Step Function 角色的具体规则来监听和创建事件
StepFunctionsGetEventsForStepFunctionsExecutionRule
就是您要找的规则
您很可能错过了向 IAM 角色添加正确的策略。这是官方文档中的一项策略,允许您创建、列出状态机。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:ListStateMachines",
"states:ListActivities",
"states:CreateStateMachine",
"states:CreateActivity"
],
"Resource": [
"arn:aws:states:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam:::role/my-execution-role"
]
}
]
}