(aws-stepfunctions): cross-region grantRead not working #17982
Description
What is the problem?
When working with a stack in one region and giving it read access to a state machine on another region the policy statement regarding execution points to executions in the wrong region.
Reproduction Steps
Create a basic stack with a role and a step function (step function must be in an other region than the environment)
#!/usr/bin/env python3
import os
from aws_cdk import (
core as cdk
)
from tmp_cdk_issue.tmp_cdk_issue_stack import TmpCdkIssueStack
app = cdk.App()
TmpCdkIssueStack(app, "TmpCdkIssueStack",
env=cdk.Environment(account='123456789012', region='us-east-1'))
app.synth()and
from aws_cdk import (
aws_iam as iam,
core as cdk,
aws_stepfunctions as sfn
)
class TmpCdkIssueStack(cdk.Stack):
def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
smc = sfn.StateMachine.from_state_machine_arn(
self,
id=f"SomeStateMachineInEUCentral1",
state_machine_arn=f"arn:aws:states:eu-central-1:123456789012:stateMachine:myStateMachine")
r = iam.Role(self, 'SomeRole', assumed_by=iam.ServicePrincipal('ecs-tasks.amazonaws.com'))
smc.grant_read(r)What did you expect to happen?
synth should produce the following policy:
SomeRoleDefaultPolicy32D3777A:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- states:ListExecutions
- states:ListStateMachines
Effect: Allow
Resource: arn:aws:states:eu-central-1:123456789012:stateMachine:myStateMachine
- Action:
- states:DescribeExecution
- states:DescribeStateMachineForExecution
- states:GetExecutionHistory
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :states:eu-central-1:123456789012:execution:myStateMachine:*
- Action:
- states:ListActivities
- states:DescribeStateMachine
- states:DescribeActivity
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: SomeRoleDefaultPolicy32D3777A
Roles:
- Ref: SomeRole6DDC54DD
Metadata:
aws:cdk:path: TmpCdkIssueStack/SomeRole/DefaultPolicy/ResourceThe second action statement points to executions in eu-central-1
What actually happened?
Instead the following policy is created:
SomeRoleDefaultPolicy32D3777A:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- states:ListExecutions
- states:ListStateMachines
Effect: Allow
Resource: arn:aws:states:eu-central-1:123456789012:stateMachine:myStateMachine
- Action:
- states:DescribeExecution
- states:DescribeStateMachineForExecution
- states:GetExecutionHistory
Effect: Allow
Resource:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- :states:us-east-1:123456789012:execution:myStateMachine:*
- Action:
- states:ListActivities
- states:DescribeStateMachine
- states:DescribeActivity
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: SomeRoleDefaultPolicy32D3777A
Roles:
- Ref: SomeRole6DDC54DD
Metadata:
aws:cdk:path: TmpCdkIssueStack/SomeRole/DefaultPolicy/ResourceThe second action statement points to executions in us-east-1
CDK CLI Version
1.134.0 (build dd5e12d)
Framework Version
No response
Node.js Version
v14.16.1
OS
Mac OS Monterey 12.0.1
Language
Python
Language Version
3.9.7
Other information
We fixed it in our stack by re-implementing grant_read, more specifically by changing how the execution arn is created. The function executionArn (link) does not specify the region so the stack's region is used instead, hence the discrepancy. Replacing this function by something like this worked for us:
arn_info = Arn.split(the_step_fn.state_machine_arn, ArnFormat.COLON_RESOURCE_NAME)
execution_arn = Stack.of(self).format_arn(
resource='execution',
service='states',
region=arn_info.region,
resource_name=arn_info.resource_name,
arn_format=ArnFormat.COLON_RESOURCE_NAME,
)I can propose a PR with a fix and some tests if needed