Menu
AWS Step Functions
Developer Guide

Creating IAM Roles for Use with AWS Step Functions

AWS Step Functions is capable of executing code and accessing AWS resources (such as data stored in Amazon S3 buckets), so to maintain security, you must grant Step Functions access to those resources. You do this for Step Functions with an IAM role.

In the tutorials for Step Functions in this document, you made use of automatically generated IAM roles that were valid for the region in which you created the state machine. If you wish to create your own IAM role for use with your state machine, this section outlines the steps needed to do that.

Create a Role for Step Functions

In this example, you will create an IAM role with permission to invoke a Lambda function.

  1. Open the IAM console.

  2. Choose Roles in the left pane, then choose Create New Role.

  3. On Set Role Name, type a name for your role, such as states-lambda-role, and choose Next Step.

  4. On Select Role Type, choose AWS SWF from the list.

    Note

    Currently, there is no AWS service role registered with the IAM console for the Step Functions service. You must select one of the existing role policies and manually modify it after the role is created.

  5. On Attach Policy, choose the AWSLambdaRole policy, and then choose Next Step. If you are creating a state machine for a different purpose, please choose the appropriate policy here.

  6. On Review, choose Create Role. You always get a final chance to change the name and policy for your role.

    Next, you will edit the trust relationship for the Step Functions role you created.

  7. From the IAM console, choose the name of the role that you just created (states-lambda-role) from the list. This will open the role's detail page.

  8. Choose the Trust Relationships tab and then choose Edit Trust Relationship. You will see a trust relationship such as:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Service": "swf.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    
  9. Under the Principal section, replace swf.amazonaws.com with states.REGION.amazonaws.com (where REGION is AWS region you are working in), resulting in the following trust relationship (for example):

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Service": "states.us-east-1.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    
  10. Choose Update Trust Policy.

For more information about IAM permissions and policies, see Access Management in the IAM User Guide.