Open
Description
Description
#3627 introduced UseAliasAsEventTarget to AWS::Serverless::StateMachine. When this property is set to true, EventBridge fails to start an SFN execution due to incorrect permissions.
Steps to reproduce
Here's the same template used in the above-mentioned PR:
Transform:
- AWS::LanguageExtensions
- AWS::Serverless-2016-10-31
Resources:
ExampleFunction:
Type: AWS::Serverless::Function
Properties:
AutoPublishAlias: live
Runtime: provided.al2023
Handler: bootstrap
CodeUri: s3://aws-sam-cli-managed-default-samclisourcebucket-example/example-fn
Events:
LambdaExample:
Type: EventBridgeRule
Properties:
Pattern:
source: [ aws.tag ]
ExampleMachine:
Type: AWS::Serverless::StateMachine
Properties:
AutoPublishAlias: live
UseAliasAsEventTarget: true
Events:
MachineExample:
Type: EventBridgeRule
Properties:
Pattern:
source: [aws.tag]
DefinitionUri:
Bucket: aws-sam-cli-managed-default-samclisourcebucket-example
Key: example-aslObserved result
This results in EventBridge using an IAM role with the following policy:
{
"Statement": [
{
"Action": "states:StartExecution",
"Resource": "arn:aws:states:ap-southeast-2:0123456789012:stateMachine:ExampleMachineAbcdef:live",
"Effect": "Allow"
}
]
}This results in EventBridge being unable to start the state machine. I suspect this is because the Resource should be the unqualified ARN, i.e. the ARN without the :live suffix. I verified this suspicion by manually modifying the SAM-generated policy and EventBridge was able to successfully start the state machine via its alias.
Expected result
I expect EventBridge to be able to invoke the state machine.
Additional environment details
- OS: MacOS
- If using the SAM CLI,
sam --version: SAM CLI, version 1.133.0 - AWS region: ap-southeast-2