Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Provide more grant APIs for the StateMachine construct

See original GitHub issue

Like StateMachine#grantStartExecution, be able to have a StateMachine#grantDescribeExecution

Use Case

In order to improve readability and have a standard way of give permissions over a StateMachine As a devops I’ll want to give permission to describe an execution to an aws resource

Proposed Solution

First create an executionArn, like the stateMachineArn, this because the arn are different when giving permissions. for example: arn:aws:states:us-east-1:1234567890:stateMachine:StateMachineExample arn:aws:states:us-east-1:1234567890:execution:StateMachineExample

Then create a method grantDescribeExecution and use the executionArn.

something like this:

abstract class StateMachineBase extends Resource implements IStateMachine {
    // ...
    public abstract readonly stateMachineArn: string;
    public abstract readonly executionArn: string;
    /**
     * Grant the given identity permissions to start an execution of this state
     * machine.
     */
    public grantStartExecution(identity: iam.IGrantable): iam.Grant {
        return iam.Grant.addToPrincipal({
            grantee: identity,
            actions: ['states:StartExecution'],
            resourceArns: [this.stateMachineArn]
        });
    }
    public grantDescribeExecution(identity: iam.IGrantable): iam.Grant {
        return iam.Grant.addToPrincipal({
            grantee: identity,
            actions: ['states:DescribeExecution'],
            resourceArns: [this.executioArn, "*"] // this I'm not sure because could be a better way?     
            // the idea is to have something like this arn:aws:states:us-east-1:123456:execution:StateMachineExample:*
        });
    }
}

and

export class StateMachine extends StateMachineBase {
    /**
     * The ARN of the state machine
     */
    public readonly stateMachineArn: string;
    /**
     * The ARN of the state machine execution
     */
    public abstract readonly executionArn: string;
    constructor(scope: Construct, id: string, props: StateMachineProps) {
        // ...
        this.stateMachineName = this.getResourceNameAttribute(resource.attrName);
        this.stateMachineArn = this.getResourceArnAttribute(resource.ref, {
          service: 'states',
          resource: 'stateMachine',
          resourceName: this.physicalName,
          sep: ':',
        });

        this.executionArn = this.getResourceArnAttribute(resource.ref, {
          service: 'states',
          resource: 'execution',
          resourceName: this.physicalName,
          sep: ':',
        });
    }

On the other hand and not totally related, this could be done also:

    public grantSendTaskSuccess(identity: iam.IGrantable): iam.Grant {
        return iam.Grant.addToPrincipal({
            grantee: identity,
            actions: ['states:SendTaskSuccess'],
            resourceArns: [this.stateMachineArn]
        });
    }
    public grantSendTaskFailure(identity: iam.IGrantable): iam.Grant {
        return iam.Grant.addToPrincipal({
            grantee: identity,
            actions: ['states:SendTaskFailure'],
            resourceArns: [this.stateMachineArn]
        });
    }

Other

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:2
  • Comments:5 (1 by maintainers)

github_iconTop GitHub Comments

1reaction
nija-atcommented, Feb 10, 2020

I would re-shape these APIs to be -

  1. a grantRead() which provides Describe, List and a number of other read operations,
  2. a grantTaskResponse() (or something similar) that provides both SendTaskSuccess, SendTaskFailure and SendTaskHeartbeat that allow for the task to report its status, and
  3. a general grant() API that takes a list of string IAM action names that can be used by the user for fine-grained control.
0reactions
seansullivancommented, Jun 2, 2022

Perhaps I’m missing something here, but the grantTaskResponse() does not appropriately set the permission on a Lambda function as it has an UnknownPrincipal as stated here

Upon deploying CDK project, I am met with the warning message:

Add statement to this resource's role: {"action":["states:SendTaskSuccess"],"notAction":[],"principal":{},"notPrincipal":{},"resource":[{"Ref":"myStateMachineStackMyStateMachineA67BBFB7"}],"notResource":[],"condition":{},"effect":"Allow"}

Of course, if I add the permission directly on the Lambda’s role as a policy statement, everything works fine:

new PolicyStatement({
        effect: Effect.ALLOW,
        actions: ['states:SendTask*'],
        resources: [`arn:aws:states:${this.region}:${this.account}:stateMachine:*`]
})

Is the intent of these APIs to allow to use as such for a Lambda function?

const myLambdaFunction = Function.fromFunctionArn(myLambdaFunctionArn);

myStateMachine.grantTaskResponse(myLambdaFunction);

For further context, this Lambda lives outside of StepFunctions and is used for manual task response via API Gateway.

Read more comments on GitHub >

github_iconTop Results From Across the Web

aws-cdk/aws-stepfunctions module - AWS Documentation
Grant permission to allow task responses to a state machine by calling the grantTaskResponse() API: const role = new iam.Role(this, 'Role', { assumedBy:...
Read more >
SFN — Boto3 Docs 1.26.33 documentation - Amazon AWS
Provides all information about a state machine execution, such as the state machine associated with the execution, the execution input and output, and...
Read more >
AWS CDK and Project Setup - AWS Workshop Studio
Use AWS CDK to create an API Gateway REST API with Synchronous Express State Machine ... This AWS CDK code defines a simple...
Read more >
Orchestration examples with Step Functions - Amazon Lambda
You can create a Step Functions state machine that invokes a Lambda function. The following example shows a Task state that invokes version...
Read more >
Creating an Async Integration with AWS Step Functions from ...
I kept thinking that there has to be a better way to make this exchange ... on the gateway integration and triggering the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Secret Manager generateSecretString and generateStringKey must be specified together

Next page

s3 bucket notifications creates IAM policy that has no resource boundary