Creating granular permissions for non-admin users in Step Functions - AWS Step Functions
Service-Level PermissionsState Machine-Level PermissionsExecution-Level PermissionsActivity-Level Permissions

Creating granular permissions for non-admin users in Step Functions

The default managed policies in IAM, such as ReadOnly, don't fully cover all types of AWS Step Functions permissions. This section describes these different types of permissions and provides some example configurations.

Step Functions has four categories of permissions. Depending on what access you want to provide to a user, you can control access by using permissions in these categories.

Service-Level Permissions

Apply to components of the API that do not act on a specific resource.

State Machine-Level Permissions

Apply to all API components that act on a specific state machine.

Execution-Level Permissions

Apply to all API components that act on a specific execution.

Activity-Level Permissions

Apply to all API components that act on a specific activity or on a particular instance of an activity.

Service-Level Permissions

This permission level applies to all API actions that do not act on a specific resource. These include CreateStateMachine, CreateActivity, ListStateMachines, ListActivities, and ValidationStateMachineDefinition. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:ListStateMachines",
        "states:ListActivities",
        "states:CreateStateMachine",
        "states:CreateActivity",
        "states:ValidationStateMachineDefinition", 
      ],
      "Resource": [ 
        "arn:aws:states:*:*:*" 
      ]
    },
    {
      "Effect": "Allow",
      "Action": [ 
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam:::role/my-execution-role"
      ]
    }
  ]
}

State Machine-Level Permissions

This permission level applies to all API actions that act on a specific state machine. These API operations require the Amazon Resource Name (ARN) of the state machine as part of the request, such as DeleteStateMachine, DescribeStateMachine, StartExecution, and ListExecutions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeStateMachine",
        "states:StartExecution",
        "states:DeleteStateMachine",
        "states:ListExecutions",
        "states:UpdateStateMachine",
        "states:TestState",
        "states:RevealSecrets"
      ],
      "Resource": [ 
        "arn:aws:states:*:*:stateMachine:StateMachinePrefix*" 
      ]
    }
  ]
}

Execution-Level Permissions

This permission level applies to all the API actions that act on a specific execution. These API operations require the ARN of the execution as part of the request, such as DescribeExecution, GetExecutionHistory, and StopExecution.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeExecution",
        "states:DescribeStateMachineForExecution",
        "states:GetExecutionHistory",
        "states:StopExecution"
      ],
      "Resource": [ 
        "arn:aws:states:*:*:execution:*:ExecutionPrefix*"
      ]
    }
  ]
}

Activity-Level Permissions

This permission level applies to all the API actions that act on a specific activity or on a particular instance of it. These API operations require the ARN of the activity or the token of the instance as part of the request, such as DeleteActivity, DescribeActivity, GetActivityTask, and SendTaskHeartbeat.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeActivity",
        "states:DeleteActivity",
        "states:GetActivityTask",
        "states:SendTaskHeartbeat"
      ],
      "Resource": [
        "arn:aws:states:*:*:activity:ActivityPrefix*"
      ]
    }
  ]
}