Menu
AWS Step Functions
Developer Guide

Creating Granular IAM Permissions for Non-Admin Users

The default managed policies in IAM, such as ReadOnly, don't fully cover all types of Step Functions permissions. This section describes these different types of permissions and provides some example configurations.

AWS Step Functions has four categories of permissions. Depending on what access you want to provide to a user, you can control access by using permissions in these categories.

Service-Level Permissions

Apply to components of the API that do not act on a specific resource.

State Machine-Level Permissions

Apply to all API components that act on a specific state machine.

Execution-Level Permissions

Apply to all API components that act on a specific execution.

Activity-Level Permissions

Apply to all API components that act on a specific activity or on a particular instance of an activity.

Service-Level Permissions

This permission level applies to all API actions that do not act on a specific resource. These include CreateStateMachine, CreateActivity, ListStateMachines, and ListActivities.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "states:ListStateMachines", "states:ListActivities", "states:CreateStateMachine", "states:CreateActivity" ], "Resource": [ "arn:aws:states:*:*:*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam:::role/my-execution-role" ] } ] }

State Machine-Level Permissions

This permission level applies to all API actions that act on a specific state machine. These API require the ARN of the state machine as part of the request, such as DeleteStateMachine, DescribeStateMachine, StartExecution, and ListExecutions.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "states:DescribeStateMachine", "states:StartExecution", "states:DeleteStateMachine", "states:ListExecutions" ], "Resource": [ "arn:aws:states:*:*:stateMachine:StateMachinePrefix*" ] } ] }

Execution-Level Permissions

This permission level applies to all the API actions that act on a specific execution. These API operations require the ARN of the execution as part of the request, such as DescribeExecution, GetExecutionHistory, and StopExecution.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "states:DescribeExecution", "states:GetExecutionHistory", "states:StopExecution" ], "Resource": [ "arn:aws:states:*:*:execution:*:ExecutionPrefix*" ] } ] }

Activity-Level Permissions

This permission level applies to all the API actions that act on a specific activity or on a particular instance of it. These API operations require the ARN of the activity or the token of the instance as part of the request, such as DeleteActivity, DescribeActivity, GetActivityTask, SendTaskSuccess, SendTaskFailure, and SendTaskHeartbeat.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "states:DescribeActivity", "states:DeleteActivity", "states:GetActivityTask", "states:SendTaskSuccess", "states:SendTaskFailure", "states:SendTaskHeartbeat" ], "Resource": [ "arn:aws:states:*:*:activity:ActivityPrefix*" ] } ] }