Search code examples
aws-step-functions

AWS Step Function - basic authorization error

I have created a simple AWS Step function with a single step (SQS:receive message). enter image description here

The process is:

  1. I put an message on the SQS queue X (which arrives OK)
  2. I start the AWS State machine, expecting it to receive the message

Instead I get the error:

    {
    "id": "5",
    "type": "TaskFailed",
    "details": {
        "cause": "The role arn:aws:iam::1234:role/StepFunctionsSandboxRole is not authorized to assume the task state's role, arn:aws:iam::1234:role/StepFunctionsSandboxRole.",
        "error": "States.TaskFailed",
        "resource": "receiveMessage.waitForTaskToken",
        "resourceType": "aws-sdk:sqs"
    },
    "previous_event_id": "4",
    "event_timestamp": "1682488337384",
    "execution_arn": "arn:aws:states:ap-southeast-2:1234:execution:MyStateMachine:78f95d4d-c6aa-b554-3545-07b8f8507b7d"
}

Any suggestions on what is wrong with my IAM setup?

My step function JSON:

{
  "Comment": "A description of my state machine",
  "StartAt": "ReceiveMessage",
  "States": {
    "ReceiveMessage": {
      "Type": "Task",
      "Parameters": {
        "QueueUrl": "https://sqs.ap-southeast-2.amazonaws.com/1234/workflow-demo-request"
      },
      "Resource": "arn:aws:states:::aws-sdk:sqs:receiveMessage.waitForTaskToken",
      "Credentials": {
        "RoleArn": "arn:aws:iam::1234:role/StepFunctionsSandboxRole"
      },
      "End": true
    }
  },
  "TimeoutSeconds": 10
}

My IAM role's (StepFunctionsSandboxRole) trust relationships:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "states.ap-southeast-2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
Solution

  • Are you trying to perform cross-account invocation? The Credentials field is only used when you want to perform an invocation on a different account, or in the same account but using a different IAM Role.

    In your case, looks like both IAM Roles are the same an in this case, you do not need the Credentials field in your Task state, as you are already running the execution using the execution role named StepFunctionsSandboxRole.

    Another thing that I noticed, you have .waitForTaskToken in your definition. This is used for Callback pattern which does not look like you need it. This is for the case where you want to make an invocation (sqs:ReceiveMessage in your case) and something else will report the success. What I understood is that you just want to receive the message, so you don't need the .waitForTaskToken.