IAM policies for AWS Step Functions
For a state machine that calls StartExecution
for a single nested workflow
execution, use an IAM policy that limits permissions to that state machine.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution"
],
"Resource": [
"arn:aws:states:[[region]]
:[[accountId]]
:stateMachine:[[stateMachineName]]
"
]
}
]
}
For more information, see the following:
- Synchronous
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution"
],
"Resource": [
"arn:aws:states:[[region]]
:[[accountId]]
:stateMachine:[[stateMachineName]]"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeExecution",
"states:StopExecution"
],
"Resource": [
"arn:aws:states:[[region]]
:[[accountId]]
:execution:[[stateMachineName]]
:*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]
:[[accountId]]
:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
]
}
]
}
- Asynchronous
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:StartExecution"
],
"Resource": [
"arn:aws:states:[[region]]
:[[accountId]]
:stateMachine:[[stateMachineName]]
"
]
}
]
}
For more information about nested workflow executions, see Start Workflow Executions from a Task State.