Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_stepfuntions: Automatic grant for StartExecution not added to default policy #29825

Closed
marcioemiranda opened this issue Apr 13, 2024 · 5 comments
Closed

aws_stepfuntions: Automatic grant for StartExecution not added to default policy #29825

marcioemiranda opened this issue Apr 13, 2024 · 5 comments
Labels
@aws-cdk/aws-stepfunctions Related to AWS StepFunctions bug This issue is a bug. feature-request A feature should be added or improved. p2

Comments

@marcioemiranda
Copy link

marcioemiranda commented Apr 13, 2024
edited
Loading

Describe the bug

Hello team,
I've noticed this issue after upgrading to cli version 2.137.0.
I have a simple step function that calls a nested step function.
After synthesizing the app, I can see the policy granting access to execute the nested step function in the construct tree. However, the generated cloud formation template does not include the policy and, because of that, when I execute the step function it fails on that step due to lack of authorization.

Expected Behavior

The expected behavior is for CDK to auto-detect the call to a nested step function in the state machine definition and add a policy granting access to execute (StartExecution) the nested sfn.

Current Behavior

The statement that adds StartExecution action on the nested step function ARN is added to the construct tree, but not the Cloud Formation template.

Reproduction Steps

The reproduce the steps I just have to run synth on the project and inspect the construct tree and cloud formation template.

Possible Solution

Please review the process that generates the template based on the tree output I am attaching here.

Additional Information/Context

I am attaching the construct tree generated by synth and the corresponding cloud formation template.
tree.json
OneAiServiceStack.template.json
OneAiServiceStack.assets.json

For reference, I am adding here the code used to create the step function call task. Notice I am not granting access explicitly for the parent step function to be able to execute the nested step function. I expected CDK to do that, like it did in other projects I've done before.

protected override buildStateMachineDefinition(
    props: PostTxWorkflowProps,
  ): sfn.DefinitionBody {
...
  const callAiIntegration = new StepFunctionsStartExecution(
        this,
        'CallAiIntegration',
        {
          comment:
            'Call nested async workflow that integrates with different AI tools',
          stateMachine: props.aiIntegrationStateMachine,
          integrationPattern: sfn.IntegrationPattern.REQUEST_RESPONSE,
          input: sfn.TaskInput.fromObject({
            taskId: sfn.JsonPath.stringAt('$.task.id'),
            payload: '$.body',
          }),
          resultPath: '$.ai',
        },
      );
...
    createTask.next(callAiIntegration);
    callAiIntegration.next(response);

    // Return start state
    return sfn.ChainDefinitionBody.fromChainable(createTask);
}

CDK CLI Version

2.137.0

Framework Version

2.88

Node.js Version

18.12.1

OS

macos 12.3.1

Language

TypeScript

Language Version

Typescript 5.4.5

Other information

Additional info: The project was initially setup by projen 0.81.0

The step function reported in this issue can be found in the tree as:
tree / children / OneAiServiceStack / children / PostTxWorkflow / StateMachine / children / Role / DefaultPolicy
@marcioemiranda marcioemiranda added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 13, 2024
@github-actions github-actions bot added the @aws-cdk/aws-stepfunctions Related to AWS StepFunctions label Apr 13, 2024
@marcioemiranda
Copy link
Author

FYI, I found other strange behavior in this synth regarding policies.
Another step function uses two tasks to manipulate DynamoDB: UpdateItem and PutItem.

I can see both policies generated automatically by CDK in the tree, but just one of them got into the Cloud Formation template.

Tree path:
tree / children / OneAiServiceStack / children / AiIntegrationWorkflow / StateMachine / children / Role / DefaultPolicy

This was referenced Apr 15, 2024
Closed
Closed
@pahud
Copy link
Contributor

pahud commented Apr 16, 2024

The expected behavior is for CDK to auto-detect the call to a nested step function in the state machine definition and add a policy granting access to execute (StartExecution) the nested sfn.

I am looking at the source here.

aws-cdk/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/stepfunctions/start-execution.ts

Line 52 in 72b6d8e

export class StepFunctionsStartExecution extends sfn.TaskStateBase {

Yes, looks like CDK at this moment does not grant relevant permissions to the parent state machine execution role and might require manual grant instead. This might be improved with a PR and I am making this a p2 feature request.

@pahud pahud added p2 feature-request A feature should be added or improved. and removed needs-triage This issue or PR still needs to be triaged. labels Apr 16, 2024
@github-actions github-actions bot mentioned this issue May 1, 2024
Closed
@marcioemiranda
Copy link
Author

Hello,

I've found out the issue was caused by my own construct. The permission to execute the nested step function was granted automatically when using the CDK library construct (StateMachine) directly.

Sorry for the incovenience.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 5, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-stepfunctions Related to AWS StepFunctions bug This issue is a bug. feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @marcioemiranda @aws-cdk-automation