I have use case where I have to invoke the api gatway rest endpoint in other aws account, they have given me a role to assume,
I am thinking of two options:
Q1. I personally think option 2 is better but what are your view on this
Q2. I have trouble invoking the rest endpoint from the step function here is my step function definition
{
"Comment": "A description of my state machine",
"StartAt": "API Gateway Invoke",
"States": {
"API Gateway Invoke": {
"Type": "Task",
"Resource": "arn:aws:states:::apigateway:invoke",
"Parameters": {
"ApiEndpoint": "endpoint",
"Method": "GET",
"Path": "path",
"AuthType": "IAM_ROLE"
},
"End": true
}
}
}
IAM role trust relationships
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Policy to assume role
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "role_arn"
}
}
when I execute the step function I get this error response
{
"resourceType": "apigateway",
"resource": "invoke",
"error": "ApiGateway.403",
"cause": {
"Message": "User:rolearn/hUAiLwbfPOsSKqarBDcdelSpeGIbyiZA is not authorized to access this resource"
}
}
I have tried giving the full execution invoke permission to the step function but it didn't help I am stuck any help would be appreciated
Currently step function doesn't support cross account integration between step function and API gateway without resource policy.
My guess is the step function is failing to assume the role.