Skip to content Skip to sidebar Skip to footer
Home / Amazon Web Services / Aws Cdk / Aws Lambda / Aws Step Functions / Python

How To Give A Lambda Function In A State Machine Access To Describe The State Machine?

Post a Comment
I've got a LambdaInvoke which is part of a state machine. I've specified input_path='$$.Execution' to give it the state machine execution ARN. Now, how do I give the LambdaFunction

Solution 1:

Irrespective of how a StateMachine is started there are 2 different roles, one for your Lambda function and one for your StateMachine. Lets have a look at sending a message to sqs as an example. You could do that directly with your StateMachine with sqs integration, or you could have a Lambda which would do it for you.

StateMachine Role

The role given to the StateMachine is needed for purposes such as logging, but also depending what integration's you use, such as if you have sqs:sendMessage it will need to have an sqs policy attached to enable that. If you use Lambda Functions in your StateMachine you will need to have a policy for lambda:InvokeFunction.

Lambda Function Role Lets say you have a Lambda which sends a message to SQS you don't use the arn:aws:states:::sqs:sendMessage... in your definition file, then your StateMachine role needs lambda:InvokeFunction permissions only, but your Lambda needs permissions to sqs.

Now for your use case, your Lambda needs to have permissions to states:DescribeExecution, not sqs. If your Lambda function works in the console successfully, and your StateMachine has permissions to execute that function all should work.

If you have a Lambda launching a StateMachine it only needs access to start a StateMachine.

Circular Dependencies Problem

You don't really have a circular dependency problem you have a permissions problem. Other than creating a new role for every time you would Launch a StateMachine, you can't scope a Lambda to one instance, reason being is that there isn't anything you can reference in the condition key context in the IAM json so that approach doesn't work. You can limit the Lambda to only executions for a particular StateMachine but again it would be for all users.

There isn't actually an inherent need for a Lambda, launched by a StateMachine to describe the very StateMachine it was launched from. Reason being is you could simply pass the state of that StateMachine to that function anyway.

Post a Comment for "How To Give A Lambda Function In A State Machine Access To Describe The State Machine?"