Step Function Execution Role is created although an existing Role is specified in the template #1873
Labels
area/step-function
maintainer/need-followup
stage/pm-review
Waiting for review by our Product Manager, please don't work on this yet
type/feature
Comments
|
I tried the template above using a translator test and got the json below. It has no separate role definition. {
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "sam template \n",
"Resources": {
"stateMachine": {
"Type": "AWS::Serverless::stateMachine",
"Properties": {
"DefinitionUri": "statemachine/state_machine_logic_here.asl.json",
"DefinitionSubstitutions": {
"firstFunctionArn": {
"Fn::GetAtt": [
"firstFunction",
"Arn"
]
},
"secondFunctionArn": {
"Fn::GetAtt": [
"secondFunction",
"Arn"
]
},
"thridFunctionArn": {
"Fn::GetAtt": [
"thirdFunction",
"Arn"
]
},
"fourthFunctionArn": {
"Fn::GetAtt": [
"fourthFunction",
"Arn"
]
}
},
"Events": {
"ApiEvent": {
"Type": "Api",
"Properties": {
"Method": "get",
"Path": "/activate_state_machine"
}
}
},
"Role": "arn:aws:iam::13333333333337:role/service-role/rolename"
}
},
"firstFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "functions",
"S3Key": "first/"
},
"Handler": "app.lambda_handler",
"Role": "arn:aws:iam::13333333333337:role/rolename",
"Runtime": "python3.8",
"Tags": [
{
"Key": "lambda:createdBy",
"Value": "SAM"
}
]
}
},
"firstFunctionApiEventPermissionProd": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Ref": "firstFunction"
},
"Principal": "apigateway.amazonaws.com",
"SourceArn": {
"Fn::Sub": [
"arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/GET/first",
{
"__ApiId__": {
"Ref": "ServerlessRestApi"
},
"__Stage__": "*"
}
]
}
}
},
"secondFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "functions",
"S3Key": "second/"
},
"Handler": "app.lambda_handler",
"Role": "arn:aws:iam::13333333333337:role/rolename",
"Runtime": "python3.8",
"Tags": [
{
"Key": "lambda:createdBy",
"Value": "SAM"
}
]
}
},
"secondFunctionApiEventPermissionProd": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Ref": "secondFunction"
},
"Principal": "apigateway.amazonaws.com",
"SourceArn": {
"Fn::Sub": [
"arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/second",
{
"__ApiId__": {
"Ref": "ServerlessRestApi"
},
"__Stage__": "*"
}
]
}
}
},
"thirdFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "functions",
"S3Key": "third/"
},
"Handler": "app.lambda_handler",
"Role": "arn:aws:iam::13333333333337:role/rolename",
"Runtime": "python3.8",
"Tags": [
{
"Key": "lambda:createdBy",
"Value": "SAM"
}
]
}
},
"thirdFunctionApiEventPermissionProd": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Ref": "thirdFunction"
},
"Principal": "apigateway.amazonaws.com",
"SourceArn": {
"Fn::Sub": [
"arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/third",
{
"__ApiId__": {
"Ref": "ServerlessRestApi"
},
"__Stage__": "*"
}
]
}
}
},
"fourthFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "functions",
"S3Key": "fourth/"
},
"Handler": "app.lambda_handler",
"Role": "arn:aws:iam::13333333333337:role/rolename",
"Runtime": "python3.8",
"Tags": [
{
"Key": "lambda:createdBy",
"Value": "SAM"
}
]
}
},
"fourthFunctionApiEventPermissionProd": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Ref": "fourthFunction"
},
"Principal": "apigateway.amazonaws.com",
"SourceArn": {
"Fn::Sub": [
"arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/POST/fourth",
{
"__ApiId__": {
"Ref": "ServerlessRestApi"
},
"__Stage__": "*"
}
]
}
}
},
"ServerlessRestApi": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Body": {
"swagger": "2.0",
"info": {
"version": "1.0",
"title": {
"Ref": "AWS::StackName"
}
},
"paths": {
"/first": {
"get": {
"x-amazon-apigateway-integration": {
"type": "aws_proxy",
"httpMethod": "POST",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${firstFunction.Arn}/invocations"
}
},
"responses": {}
}
},
"/second": {
"post": {
"x-amazon-apigateway-integration": {
"type": "aws_proxy",
"httpMethod": "POST",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${secondFunction.Arn}/invocations"
}
},
"responses": {}
}
},
"/third": {
"post": {
"x-amazon-apigateway-integration": {
"type": "aws_proxy",
"httpMethod": "POST",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${thirdFunction.Arn}/invocations"
}
},
"responses": {}
}
},
"/fourth": {
"post": {
"x-amazon-apigateway-integration": {
"type": "aws_proxy",
"httpMethod": "POST",
"uri": {
"Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${fourthFunction.Arn}/invocations"
}
},
"responses": {}
}
}
}
}
}
},
"ServerlessRestApiDeployment507a4ca1c8": {
"Type": "AWS::ApiGateway::Deployment",
"Properties": {
"Description": "RestApi deployment id: 507a4ca1c886182e38decb467b549de7704fbd71",
"RestApiId": {
"Ref": "ServerlessRestApi"
},
"StageName": "Stage"
}
},
"ServerlessRestApiProdStage": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"DeploymentId": {
"Ref": "ServerlessRestApiDeployment507a4ca1c8"
},
"RestApiId": {
"Ref": "ServerlessRestApi"
},
"StageName": "Prod"
}
}
},
"Outputs": {
"stateMachineArn": {
"Description": "state machine ARN",
"Value": {
"Ref": "stateMachine"
}
}
}
} |
|
Hi @mikasd, I managed to get the same result as @Jacco did above, in which I could not find any |
hawflau
added
the
blocked/more-info-needed
|
Hi, Below is the template: Commands executed:
CLI output logs: SAM CLI version : Note: |
|
@soumenrock You are trying to create IAM::Roles in your template (genericRole, CodeDeployAssetOverrideRole) while you don't have the |
|
@mikasd I tried your template and you are right; SAM always creates an IAM Role for the API that triggers that state-machine (StateMachineApiEventRole) I think a new attribute "Role" is required for the API event source |
elbayaaa
added
stage/pm-review
|
I have the same issue as @soumenrock which is not surprising as I believe we are in the same organization. The issue is you can create IAM Roles, but the PermissionsBoundary is required to do so by policy. The implicit role created by the Api Event does not include that PermissionsBoundary, thus failing. I would agree that adding an attribute to specify the Role for API event source would resolve the issue. |
|
Any new on this isse? I am unable to deploy due to missing |
|
I was able to resolve this by adding an explicit role to the SAM template: That removed the implicit CodeDeployServiceRole. Note that the indicated role must have a Trust Relationship so that CodeDeploy can assume the role as well as all permissions such as iam:CreateRole that the deployment needs. (in the above role's TrustPolicy): |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description:
The app structure is an API with 5 routes, 4 of the endpoints hit individual lambdas and the fifth initiates a step function state machine process. All of this is built out with the SAM CLI tooling.
In my organization there is a strict IAM policy. I have managed to procure all of the Policies needed for the permissions associated with deploying a SAM CLI application under a role they gave me. From what I understand, the logic behind the IAM role creation permissions and the sam deploy function is essentially screening the application template for any roles needed, if roles are specified, it uses those roles, otherwise it auto generates ones specific to the needs of the application being deployed.
We are not allowed to have iam:createRole permissions.
I have tried to circumvent this by getting the roles with all of the theoretical permissions needed and then specifying those roles into the formation template.
In the template, all of the lambdas have roles specified and during deployment the build tasks of creating roles for each lambda were removed as a result. This is expected functionality.
I have specified a role for the state machine in the template as well, the role has the full access policy for step functions along with all other needed permissions.
The event type to activate the state machine is an api event. During deployment, there is still a trigger to create a new iam role related to the state machines specific api event. Providing the predefined role to every other resource seemed to do the trick. Why does it keep doing this only for the state machines api event?
Just to emphasize, I fixed this issue for the lambdas and the autogenerated api by specifying roles for each resource, but for some reason it did not work with the state machine's api event.
I have tried this with capabilities defined as both CAPABILITY_IAM and CAPABILITY_NAMED_IAM in the deploy command.
I used issue #1009 to fix the role issues with the Lambdas but the same logic did not work for the state machine resource.
here is the template yaml for reference, the naming or references might be weird on here because I tried to scrub it for anything related to the actual project and make it general.
I am new so hopefully this is just a template syntax issue on my end.
Thank you in advance
Similar issue also posted but unasnwered on StackOverflow
Observed result:
CloudFormation attempts to create a state machine api event role, and fails because current aws role hasn't been granted permissions to create IAM Roles.
Expected result:
The deployment should succeed because CloudFormation should NOT create a new role, as a Role has already been provided in the SAM template.
The text was updated successfully, but these errors were encountered: