Provide more grant APIs for the StateMachine construct
See original GitHub issueLike StateMachine#grantStartExecution
, be able to have a StateMachine#grantDescribeExecution
Use Case
In order to improve readability and have a standard way of give permissions over a StateMachine As a devops I’ll want to give permission to describe an execution to an aws resource
Proposed Solution
First create an executionArn
, like the stateMachineArn
, this because the arn are different when giving permissions.
for example:
arn:aws:states:us-east-1:1234567890:stateMachine:StateMachineExample
arn:aws:states:us-east-1:1234567890:execution:StateMachineExample
Then create a method grantDescribeExecution
and use the executionArn
.
something like this:
abstract class StateMachineBase extends Resource implements IStateMachine {
// ...
public abstract readonly stateMachineArn: string;
public abstract readonly executionArn: string;
/**
* Grant the given identity permissions to start an execution of this state
* machine.
*/
public grantStartExecution(identity: iam.IGrantable): iam.Grant {
return iam.Grant.addToPrincipal({
grantee: identity,
actions: ['states:StartExecution'],
resourceArns: [this.stateMachineArn]
});
}
public grantDescribeExecution(identity: iam.IGrantable): iam.Grant {
return iam.Grant.addToPrincipal({
grantee: identity,
actions: ['states:DescribeExecution'],
resourceArns: [this.executioArn, "*"] // this I'm not sure because could be a better way?
// the idea is to have something like this arn:aws:states:us-east-1:123456:execution:StateMachineExample:*
});
}
}
and
export class StateMachine extends StateMachineBase {
/**
* The ARN of the state machine
*/
public readonly stateMachineArn: string;
/**
* The ARN of the state machine execution
*/
public abstract readonly executionArn: string;
constructor(scope: Construct, id: string, props: StateMachineProps) {
// ...
this.stateMachineName = this.getResourceNameAttribute(resource.attrName);
this.stateMachineArn = this.getResourceArnAttribute(resource.ref, {
service: 'states',
resource: 'stateMachine',
resourceName: this.physicalName,
sep: ':',
});
this.executionArn = this.getResourceArnAttribute(resource.ref, {
service: 'states',
resource: 'execution',
resourceName: this.physicalName,
sep: ':',
});
}
On the other hand and not totally related, this could be done also:
public grantSendTaskSuccess(identity: iam.IGrantable): iam.Grant {
return iam.Grant.addToPrincipal({
grantee: identity,
actions: ['states:SendTaskSuccess'],
resourceArns: [this.stateMachineArn]
});
}
public grantSendTaskFailure(identity: iam.IGrantable): iam.Grant {
return iam.Grant.addToPrincipal({
grantee: identity,
actions: ['states:SendTaskFailure'],
resourceArns: [this.stateMachineArn]
});
}
Other
- 👋 I may be able to implement this feature request
- ⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 4 years ago
- Reactions:2
- Comments:5 (1 by maintainers)
Top Results From Across the Web
aws-cdk/aws-stepfunctions module - AWS Documentation
Grant permission to allow task responses to a state machine by calling the grantTaskResponse() API: const role = new iam.Role(this, 'Role', { assumedBy:...
Read more >SFN — Boto3 Docs 1.26.33 documentation - Amazon AWS
Provides all information about a state machine execution, such as the state machine associated with the execution, the execution input and output, and...
Read more >AWS CDK and Project Setup - AWS Workshop Studio
Use AWS CDK to create an API Gateway REST API with Synchronous Express State Machine ... This AWS CDK code defines a simple...
Read more >Orchestration examples with Step Functions - Amazon Lambda
You can create a Step Functions state machine that invokes a Lambda function. The following example shows a Task state that invokes version...
Read more >Creating an Async Integration with AWS Step Functions from ...
I kept thinking that there has to be a better way to make this exchange ... on the gateway integration and triggering the...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I would re-shape these APIs to be -
grantRead()
which provides Describe, List and a number of other read operations,grantTaskResponse()
(or something similar) that provides bothSendTaskSuccess
,SendTaskFailure
andSendTaskHeartbeat
that allow for the task to report its status, andgrant()
API that takes a list of string IAM action names that can be used by the user for fine-grained control.Perhaps I’m missing something here, but the
grantTaskResponse()
does not appropriately set the permission on a Lambda function as it has anUnknownPrincipal
as stated hereUpon deploying CDK project, I am met with the warning message:
Of course, if I add the permission directly on the Lambda’s role as a policy statement, everything works fine:
Is the intent of these APIs to allow to use as such for a Lambda function?
For further context, this Lambda lives outside of StepFunctions and is used for manual task response via API Gateway.