botocore.exceptions.ClientError：调用 CreateStateMachine 操作时发生错误 (AccessDeniedException)

Question

当我尝试根据我的状态机定义创建状态机时出现以下错误：

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateStateMachine operation: 'role' is not authorized to create managed-rule.

创建代码：

state_machine = sfn_client.create_state_machine(
    name = 'state-machine',
    definition = state_machine_def,
    roleArn = SFN_ROLE,
)

我使用的 IAM 角色包含所有必要的权限，如 here 所述。它需要什么样的托管规则才能拥有创建权限？

Answer 1

您很可能错过了向 IAM 角色添加正确的策略。这是来自official documentation 的政策，允许您创建、列出状态机。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:ListStateMachines",
        "states:ListActivities",
        "states:CreateStateMachine",
        "states:CreateActivity"
      ],
      "Resource": [ 
        "arn:aws:states:*:*:*" 
      ]
    },
    {
      "Effect": "Allow",
      "Action": [ 
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam:::role/my-execution-role"
      ]
    }
  ]

Answer 2

原因是 SFN_ROLE 附加的 CloudWatchFullAccess 策略没有足够的权限让 Step Functions 工作流将事件发布到 CloudWatch。一旦我用 CloudWatchEventsFullAccess 替换它，一切正常。

Answer 3

事实证明，添加 CloudWatchEventsFullAccess 适用于 stepfunctions

Answer 4

问题是这样的

{
        "Effect": "Allow",
        "Action": [
            "events:PutTargets",
            "events:PutRule",
            "events:DescribeRule"
        ],
        "Resource": [
           "arn:aws:events:[[region]]:[[accountId]]:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
        ]
    }

根据AWS Step Function nested workflow Execution，需要添加step function角色监听和创建事件的具体规则StepFunctionsGetEventsForStepFunctionsExecutionRule就是你要找的规则