aws-stepfunctions-tasks: state machine role is missing sagemaker:AddTags permission for SageMakerCreateTrainingJob task

[historyandfun]

Describe the bug

When a step function trigger a sagemaker training job, the step function fails with error is not authorized to perform: sagemaker:AddTags on resource: arn:aws:sagemaker:us-east-1:xxxx:training-job/xxxx because no identity-based policy allows the sagemaker:AddTags action. It could be a similar issue as #26012.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

If the permission is required, the step function should generate role with permission sagemaker:AddTags.

Current Behavior

The generated step function role for SageMakerCreateTrainingJob misses permission sagemaker:AddTags.

Reproduction Steps

const smStep = new tasks.SageMakerCreateTrainingJob(this, 'xxx', {
         integrationPattern: IntegrationPattern.RUN_JOB,
         ....
}

const stateMachine = new sfn.StateMachine(this, 'satemachine', {
            definition: smStep.next(xxx),
            ...
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.121.0

Framework Version

No response

Node.js Version

18

OS

linux

Language

TypeScript

Language Version

No response

Other information

No response

[ashishdhingra]

Looking at high level, it appears to similar to issue #26012 (which was fixed via PR #27264). On the similar lines, we need to add permission in makePolicyStatements().

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.