IAM policies for using Distributed Map state
When you create workflows with the Step Functions console, Step Functions can automatically generate IAM policies based on the resources in your workflow definition. These policies include the least privileges necessary to allow the state machine role to invoke the StartExecution
API action for the Distributed Map state. These policies also include the least privileges necessary Step Functions to access AWS resources, such as Amazon S3 buckets and objects and Lambda functions. We highly recommend that you include only those permissions that are necessary in your IAM policies. For example, if your workflow includes a Map
state in Distributed mode, scope your policies down to the specific Amazon S3 bucket and folder that contains your dataset.
If you specify an Amazon S3 bucket and object, or prefix, with a reference path to an existing key-value pair in your Distributed Map state input, make sure that you update the IAM policies for your workflow. Scope the policies down to the bucket and object names the path resolves to at runtime.
In this topic:
Example of IAM policy for running a Distributed Map state
When you include a Distributed Map state in your workflows, Step Functions needs appropriate permissions to allow the state machine role to invoke the StartExecution
API action for the Distributed Map state.
The following IAM policy example grants the least privileges required to your state machine role for running the Distributed Map state.
Make sure that you replace
with the name of the state machine in which you're using the Distributed Map state. For example, stateMachineName
arn:aws:states:
.us-east-2
:123456789012
:stateMachine:mystateMachine
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "states:StartExecution" ], "Resource": [ "arn:aws:states:
region
:accountID
:stateMachine:stateMachineName
" ] }, { "Effect": "Allow", "Action": [ "states:DescribeExecution", "states:StopExecution" ], "Resource": "arn:aws:states:region
:accountID
:execution:stateMachineName
/*" } ] }
Examples of IAM policies for reading data from Amazon S3 datasets
The following IAM policy examples grant the least privileges required to access your Amazon S3 datasets using the ListObjectsV2 and GetObject API actions.
Example IAM policy for Amazon S3 object as dataset
The following example shows an IAM policy that grants the least privileges to access
the objects organized within
in an
Amazon S3 bucket named processImages
.myBucket
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::
myBucket
" ], "Condition": { "StringLike": { "s3:prefix": [ "processImages
" ] } } } ] }
Example IAM policy for a CSV file as dataset
The following example shows an IAM policy that grants least privileges to access a
CSV file named
.ratings.csv
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::
myBucket
/csvDataset
/ratings.csv
" ] } ] }
Example IAM policy for an Amazon S3 inventory as dataset
The following example shows an IAM policy that grants least privileges to access an Amazon S3 inventory report.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::
destination-prefix
/source-bucket
/config-ID
/YYYY-MM-DDTHH-MMZ
/manifest.json", "arn:aws:s3:::destination-prefix
/source-bucket
/config-ID
/data/*" ] } ] }
Example of IAM policy for writing data to an Amazon S3 bucket
The following IAM policy example grants the least privileges required to write your
child workflow execution results to a folder named csvJobs
in an
Amazon S3 bucket using the PutObject
API
action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::
resultBucket
/csvJobs
/*" ] } ] }