I have a Cloudformation stack like,
---
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
MyFavoriteActivity:
Type: "AWS::StepFunctions::Activity"
Properties:
Name: "my-special-name"
ActivityAccessRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
Fn::Sub: "arn:aws:iam::${AWS::AccountId}:user/my-special-user"
Action:
- sts:AssumeRole
Policies:
- PolicyName: "Activity_Role_Policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- states:GetActivityTask
Resource: { Ref: "MyFavoriteActivity" }
Using Boto3, I try to call get_activity_task
using the keys from my ActivityAccessRole
,
sfn_client = boto3.client('stepfunctions', **assumed_role_keys)
task = sfn_client.get_activity_task(
activityArn='arn:aws:states:us-west-2:012345678910:activity:My-favorite-activity',
workerName='my-worker'
)
But I get an error,
An error occurred (AccessDeniedException) when calling the GetActivityTask operation:
User: arn:aws:sts::012345678910:assumed-role/some-prefix-ActivityAccessRole-some-hash/AssumeRoleSession1
is not authorized to perform: states:GetActivityTask on resource: arn:aws:states::012345678910:role/arn:aws:states:us-west-2:012345678910:activity:My-favorite-activity
the problem I see is that I never created arn:aws:states::012345678910:role/arn:aws:states:us-west-2:012345678910:activity:My-favorite-activity
(note the prefix)!
How do I fix my CF template to give the proper permissions?