Menu
AWS Step Functions
Developer Guide

Creating IAM Roles for AWS Step Functions

AWS Step Functions can execute code and access AWS resources (such as data stored in Amazon S3 buckets). To maintain security, you must grant Step Functions access to those resources using an IAM role.

The Tutorials in this guide allow you to take advantage of automatically generated IAM roles that are valid for the region in which you create the state machine. To create your own IAM role for a state machine, follow the steps in this section.

Create a Role for Step Functions

In this example, you create an IAM role with permission to invoke a Lambda function.

To create a role for Step Functions

  1. Log in to the IAM console and choose Roles, Create role.

  2. On the Select type of trusted entity page, under AWS service, select SWF from the list and then choose Next: Permissions.

    Note

    Currently, there is no AWS service role registered with the IAM console for the Step Functions service. You must select one of the existing role policies and then create a trust relationship for the role.

  3. On the Attached permissions policy page, choose Next: Review.

  4. On the Review page, type StepFunctionsLambdaRole for Role Name and then choose Create role.

    The IAM role appears in the list of roles.

To create a trust relationship for your Step Functions role

  1. On the Roles page, choose StepFunctionsLambdaRole.

  2. On the Trust Relationships tab, choose Edit Trust Relationship. The following trust relationship is displayed:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Service": "swf.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
  3. Under the Principal section, replace swf.amazonaws.com with states.region.amazonaws.com (using the region of your AWS account), for example:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Service": "states.us-east-1.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
  4. Choose Update Trust Policy.

For more information about IAM permissions and policies, see Access Management in the IAM User Guide.