假定的 IAM 角色无权执行:states:GetActivityTask 资源:arn:aws:states::012345678910:role/
Assumed IAM Role is not authorized to perform: states:GetActivityTask on resource: arn:aws:states::012345678910:role/
我有一个 Cloudformation 堆栈,
---
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
MyFavoriteActivity:
Type: "AWS::StepFunctions::Activity"
Properties:
Name: "my-special-name"
ActivityAccessRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
Fn::Sub: "arn:aws:iam::${AWS::AccountId}:user/my-special-user"
Action:
- sts:AssumeRole
Policies:
- PolicyName: "Activity_Role_Policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- states:GetActivityTask
Resource: { Ref: "MyFavoriteActivity" }
使用 Boto3,我尝试使用 ActivityAccessRole、
中的键调用 get_activity_task
sfn_client = boto3.client('stepfunctions', **assumed_role_keys)
task = sfn_client.get_activity_task(
activityArn='arn:aws:states:us-west-2:012345678910:activity:My-favorite-activity',
workerName='my-worker'
)
但是我得到一个错误,
An error occurred (AccessDeniedException) when calling the GetActivityTask operation:
User: arn:aws:sts::012345678910:assumed-role/some-prefix-ActivityAccessRole-some-hash/AssumeRoleSession1
is not authorized to perform: states:GetActivityTask on resource: arn:aws:states::012345678910:role/arn:aws:states:us-west-2:012345678910:activity:My-favorite-activity
我看到的问题是我从未创建 arn:aws:states::012345678910:role/arn:aws:states:us-west-2:012345678910:activity:My-favorite-activity(注意前缀)!
如何修复我的 CF 模板以提供适当的权限?
这个问题很愚蠢(或者天才而且没有记录)。我需要将我的角色更改为,
ActivityAccessRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
Fn::Sub: "arn:aws:iam::${AWS::AccountId}:user/frp-api-user"
Action:
- sts:AssumeRole
Policies:
- PolicyName: "Activity_Role_Policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- states:GetActivityTask
Resource:
- Fn::Sub: "arn:aws:states::${AWS::AccountId}:role/${MyFavoriteActivity}"
- { Ref: "MyFavoriteActivity" }
你应该注意最后两行的地方。由于某种原因需要添加这两种资源。真品和从真空中蹦出来的。
我有一个 Cloudformation 堆栈,
---
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
MyFavoriteActivity:
Type: "AWS::StepFunctions::Activity"
Properties:
Name: "my-special-name"
ActivityAccessRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
Fn::Sub: "arn:aws:iam::${AWS::AccountId}:user/my-special-user"
Action:
- sts:AssumeRole
Policies:
- PolicyName: "Activity_Role_Policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- states:GetActivityTask
Resource: { Ref: "MyFavoriteActivity" }
使用 Boto3,我尝试使用 ActivityAccessRole、
get_activity_task
sfn_client = boto3.client('stepfunctions', **assumed_role_keys)
task = sfn_client.get_activity_task(
activityArn='arn:aws:states:us-west-2:012345678910:activity:My-favorite-activity',
workerName='my-worker'
)
但是我得到一个错误,
An error occurred (AccessDeniedException) when calling the GetActivityTask operation:
User: arn:aws:sts::012345678910:assumed-role/some-prefix-ActivityAccessRole-some-hash/AssumeRoleSession1
is not authorized to perform: states:GetActivityTask on resource: arn:aws:states::012345678910:role/arn:aws:states:us-west-2:012345678910:activity:My-favorite-activity
我看到的问题是我从未创建 arn:aws:states::012345678910:role/arn:aws:states:us-west-2:012345678910:activity:My-favorite-activity(注意前缀)!
如何修复我的 CF 模板以提供适当的权限?
这个问题很愚蠢(或者天才而且没有记录)。我需要将我的角色更改为,
ActivityAccessRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
Fn::Sub: "arn:aws:iam::${AWS::AccountId}:user/frp-api-user"
Action:
- sts:AssumeRole
Policies:
- PolicyName: "Activity_Role_Policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- states:GetActivityTask
Resource:
- Fn::Sub: "arn:aws:states::${AWS::AccountId}:role/${MyFavoriteActivity}"
- { Ref: "MyFavoriteActivity" }
你应该注意最后两行的地方。由于某种原因需要添加这两种资源。真品和从真空中蹦出来的。