0

I have a Cloudformation stack like,

---
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  MyFavoriteActivity:
     Type: "AWS::StepFunctions::Activity"
     Properties:
       Name: "my-special-name"

  ActivityAccessRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                Fn::Sub: "arn:aws:iam::${AWS::AccountId}:user/my-special-user"
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: "Activity_Role_Policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - states:GetActivityTask
                Resource: { Ref: "MyFavoriteActivity" }

Using Boto3, I try to call get_activity_task using the keys from my ActivityAccessRole,

sfn_client = boto3.client('stepfunctions', **assumed_role_keys)
task = sfn_client.get_activity_task(
    activityArn='arn:aws:states:us-west-2:012345678910:activity:My-favorite-activity',
    workerName='my-worker'
)

But I get an error,

An error occurred (AccessDeniedException) when calling the GetActivityTask operation:
User: arn:aws:sts::012345678910:assumed-role/some-prefix-ActivityAccessRole-some-hash/AssumeRoleSession1
is not authorized to perform: states:GetActivityTask on resource: arn:aws:states::012345678910:role/arn:aws:states:us-west-2:012345678910:activity:My-favorite-activity

the problem I see is that I never created arn:aws:states::012345678910:role/arn:aws:states:us-west-2:012345678910:activity:My-favorite-activity (note the prefix)!

How do I fix my CF template to give the proper permissions?

  • How exactly are you configuring the "keys from my `ActivityAccessRole`"? Where do these keys come from? They're not in the stack. – kichik Nov 14 '17 at 20:15
  • @kichik Similar to [this](https://stackoverflow.com/questions/47169773/how-do-i-get-a-pre-signed-url-for-an-api-gateway-in-cloudformation-using-boto3/47170173#47170173). I don't believe this is the issue because if you look at the error, it says that I am using the assumed role `User: arn:...:AssumedRoleSession1`. But I very well could be wrong. –  Nov 14 '17 at 20:17
  • Does it work if you use `Resource: "*"`? – kichik Nov 14 '17 at 20:20
  • Here's how I do it: In your role "AssumeRolePolicyDocument", trust the account instead of the user (ie: trust root). Then allow the user to assume this role, using a policy attached to the user, or even better, attached to a group that contains the user. – Laurent Jalbert Simard Nov 14 '17 at 20:31
  • @kichik Sort of. Throws a connection timeout after a while, but I also don't have any tasks for it to get. So I would actually expect that –  Nov 14 '17 at 20:32
  • @LaurentJalbertSimard I don't think assuming the role is the problem. –  Nov 14 '17 at 20:34
  • I can't find any documentation to support this, but I guess you can just add that prefix yourself. – kichik Nov 14 '17 at 20:37
  • The documentation for the CloudFormation "Ref" intrinsic function indicates that the ARN of the Activity is returned. Just curious .... have you tried the syntax `!Ref MyFavoriteActivity` **instead of** `{ Ref: "MyFavoriteActivity" }`? I think this is the right way to handle this in YAML syntax. http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html –  Nov 14 '17 at 20:51

1 Answers1

1

The problem is pretty dumb (or genius and poorly documented). I needed to change my role to,

  ActivityAccessRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                Fn::Sub: "arn:aws:iam::${AWS::AccountId}:user/frp-api-user"
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: "Activity_Role_Policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - states:GetActivityTask
                Resource:
                  - Fn::Sub: "arn:aws:states::${AWS::AccountId}:role/${MyFavoriteActivity}"
                  - { Ref: "MyFavoriteActivity" }

Where you should note the last two lines. For some reason to need to add both resources. The real one and the one that popped out of the vacuum.