Lambda ARN missing from IAM Role

[levegetarien]

This is a (Bug Report / Feature Proposal)

Description

When implementing Callbacks in step functions, the IAM policy that gets generated does not include the ARN of the Lambda (Task).

The step function looks like this:

  name: some-name
  definition:
    Comment: "some step with callback"
    StartAt: request-approval
    States:
      request-approval:
        Type: Task
        Resource: arn:aws:states:::lambda:invoke.waitForTaskToken
        Parameters:
          FunctionName: arn:aws:lambda:${self:provider.region}:${self:custom.stage.infra.AWS_ACCOUNT}:function:function-name-1
          Payload:
            token.$: "$$.Task.Token"
        End: true

The IAM policy that gets generated does contain all ARN of other lambdas included in the step, but not when using the ARN nested in the Parameters field. The resulting policy (and role) won't allow the step to invoke the lambda.

Additional Data

• Serverless Framework Core Version you're using: 1.41.1
• The Plugin Version you're using: 1.20.0

[levegetarien]

I might be missing something, but I have no clue what that would be. I removed the whole stack, did a clean deploy, policy still misses the ARN. If I add it manually, all is peachy again.

[theburningmonk]

@levegetarien it's because we generate the IAM permissions by matching against the Resource string and it's not matching the .waitForTaskToken suffix.

[levegetarien]

in this case, the Resource string does not contain the ARN of my function, this is the ARN of the AWS Service. The ARN of the function is only described in Parameters.FunctionName. I think this notation is a quirk of how AWS set up the service integrations for Step Functions.

[theburningmonk]

🎉 This issue has been resolved in version 1.21.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀