Tagging in Step Functions
AWS Step Functions supports tagging of state machines (both Standard and Express) and activities. This can help you track and manage the costs associated with your resources, and provide better security in your AWS Identity and Access Management (IAM) policies. Tagging Step Functions resources allows them to be managed by AWS Resource Groups. For more information on Resource Groups, see the AWS Resource Groups User Guide.
For tag-based authorization, state machine execution resources as shown in the following example inherit the tags associated with a state machine.
arn:<partition>:states:<Region>:<account-id>:execution:<StateMachineName>:<ExecutionId>When you call DescribeExecution or other APIs in which you specify the execution resource ARN, Step Functions uses tags associated with the state machine to accept or deny the request while performing tag-based authorization. This helps you allow or deny access to state machine executions at the state machine level.
To review the restrictions related to resource tagging, see Restrictions related to tagging.
Tagging for Cost Allocation
To organize and identify your Step Functions resources for cost allocation, you can add metadata tags that identify the purpose of a state machine or activity. This is especially useful when you have many resources. You can use cost allocation tags to organize your AWS bill to reflect your own cost structure. To do this, sign up to get your AWS account bill to include the tag keys and values. For more information, see Setting Up a Monthly Cost Allocation Report in the AWS Billing User Guide.
For example, you could add tags that represent the cost center and purpose of your Step Functions resources, as follows.
| Resource | Key | Value |
|---|---|---|
StateMachine1 |
Cost Center |
34567 |
Application |
Image processing |
|
StateMachine2 |
Cost Center |
34567 |
Application |
Rekognition processing |
|
Activity1 |
Cost Center |
12345 |
Application |
Legacy database |
This tagging scheme allows you to group two state machines performing related tasks in the same cost center, while tagging an unrelated activity with a different cost allocation tag.
Tagging for Security
IAM supports controlling access to resources based on tags. To control access based on tags, provide information about your resource tags in the condition element of an IAM policy.
For example, you could restrict access to all Step Functions resources that include a tag with
the key environment and the value production.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"states:TagResource",
"states:DeleteActivity",
"states:DeleteStateMachine",
"states:StopExecution"
],
"Resource": "*",
"Condition": {
"StringEquals": {"aws:ResourceTag/environment": "production"}
}
}
]
}For more information, see Controlling Access Using Tags in the IAM User Guide.
Viewing and Managing Tags in the Step Functions Console
Step Functions allows you to view and manage the tags for your state machines in the Step Functions console. From the Details page of a state machine, select Tags. Here, you can view the existing tags associated with your state machine.
Note
To manage tags for activites, see Manage Tags with Step Functions API Actions.
To add or delete tags that are associated with your state machine, select the Manage Tags button.
-
Browse to the details page of a state machine.
-
Select Tags, next to Executions and Definition.
-
Choose Manage tags.
-
To modify existing tags, edit the Key and Value.
-
To remove existing tags, choose Remove tag.
-
To add a new tag, choose Add tag and enter a Key and Value.
-
-
Choose Save.
Manage Tags with Step Functions API Actions
To manage tags using the Step Functions API, use the following API actions:
