How AWS Step Functions Works with IAM - AWS Step Functions

How AWS Step Functions Works with IAM

AWS Step Functions can execute code and access AWS resources (such as invoking an AWS Lambda function). To maintain security, you must grant Step Functions access to those resources by using an IAM role.

The Tutorials for Step Functions in this guide enable you to take advantage of automatically generated IAM roles that are valid for the AWS Region in which you create the state machine. To create your own IAM role for a state machine, follow the steps in this section.

In this example, you create an IAM role with permission to invoke a Lambda function.

Create a role for Step Functions

  1. Sign in to the IAM console, and then choose Roles, Create role.

  2. On the Select type of trusted entity page, under AWS service, select Step Functions from the list, and then choose Next: Permissions.

  3. On the Attached permissions policy page, choose Next: Review.

  4. On the Review page, enter StepFunctionsLambdaRole for Role Name, and then choose Create role.

    The IAM role appears in the list of roles.

For more information about IAM permissions and policies, see Access Management in the IAM User Guide.

Attach an Inline Policy

Step Functions can control other services directly in a task state. Attach inline policies to allow Step Functions to access the API actions of the services you need to control.

  1. Open the IAM console, choose Roles, search for your Step Functions role, and select that role.

  2. Select Add inline policy.

  3. Use the Visual editor or the JSON tab to create policies for your role.

For more information about how AWS Step Functions can control other AWS services, see Using AWS Step Functions with other services.


For examples of IAM policies created by the Step Functions console, see IAM Policies for integrated services.