Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@aws-cdk/aws-stepfunctions
Advanced tools
AWS CDK v1 has reached End-of-Support on 2023-06-01. This package is no longer being updated, and users should migrate to AWS CDK v2.
For more information on how to migrate, see the Migrating to AWS CDK v2 guide.
The @aws-cdk/aws-stepfunctions
package contains constructs for building
serverless workflows using objects. Use this in conjunction with the
@aws-cdk/aws-stepfunctions-tasks
package, which contains classes used
to call other AWS services.
Defining a workflow looks like this (for the Step Functions Job Poller example):
import * as lambda from '@aws-cdk/aws-lambda';
declare const submitLambda: lambda.Function;
declare const getStatusLambda: lambda.Function;
const submitJob = new tasks.LambdaInvoke(this, 'Submit Job', {
lambdaFunction: submitLambda,
// Lambda's result is in the attribute `Payload`
outputPath: '$.Payload',
});
const waitX = new sfn.Wait(this, 'Wait X Seconds', {
time: sfn.WaitTime.secondsPath('$.waitSeconds'),
});
const getStatus = new tasks.LambdaInvoke(this, 'Get Job Status', {
lambdaFunction: getStatusLambda,
// Pass just the field named "guid" into the Lambda, put the
// Lambda's result in a field called "status" in the response
inputPath: '$.guid',
outputPath: '$.Payload',
});
const jobFailed = new sfn.Fail(this, 'Job Failed', {
cause: 'AWS Batch Job Failed',
error: 'DescribeJob returned FAILED',
});
const finalStatus = new tasks.LambdaInvoke(this, 'Get Final Job Status', {
lambdaFunction: getStatusLambda,
// Use "guid" field as input
inputPath: '$.guid',
outputPath: '$.Payload',
});
const definition = submitJob
.next(waitX)
.next(getStatus)
.next(new sfn.Choice(this, 'Job Complete?')
// Look at the "status" field
.when(sfn.Condition.stringEquals('$.status', 'FAILED'), jobFailed)
.when(sfn.Condition.stringEquals('$.status', 'SUCCEEDED'), finalStatus)
.otherwise(waitX));
new sfn.StateMachine(this, 'StateMachine', {
definition,
timeout: Duration.minutes(5),
});
You can find more sample snippets and learn more about the service integrations
in the @aws-cdk/aws-stepfunctions-tasks
package.
A stepfunctions.StateMachine
is a resource that takes a state machine
definition. The definition is specified by its start state, and encompasses
all states reachable from the start state:
const startState = new sfn.Pass(this, 'StartState');
new sfn.StateMachine(this, 'StateMachine', {
definition: startState,
});
State machines execute using an IAM Role, which will automatically have all permissions added that are required to make all state machine tasks execute properly (for example, permissions to invoke any Lambda functions you add to your workflow). A role will be created by default, but you can supply an existing one as well.
Every State Machine execution has State Machine Data: a JSON document containing keys and values that is fed into the state machine, gets modified as the state machine progresses, and finally is produced as output.
You can pass fragments of this State Machine Data into Tasks of the state machine.
To do so, use the static methods on the JsonPath
class. For example, to pass
the value that's in the data key of OrderId
to a Lambda function as you invoke
it, use JsonPath.stringAt('$.OrderId')
, like so:
import * as lambda from '@aws-cdk/aws-lambda';
declare const orderFn: lambda.Function;
const submitJob = new tasks.LambdaInvoke(this, 'InvokeOrderProcessor', {
lambdaFunction: orderFn,
payload: sfn.TaskInput.fromObject({
OrderId: sfn.JsonPath.stringAt('$.OrderId'),
}),
});
The following methods are available:
Method | Purpose |
---|---|
JsonPath.stringAt('$.Field') | reference a field, return the type as a string . |
JsonPath.listAt('$.Field') | reference a field, return the type as a list of strings. |
JsonPath.numberAt('$.Field') | reference a field, return the type as a number. Use this for functions that expect a number argument. |
JsonPath.objectAt('$.Field') | reference a field, return the type as an IResolvable . Use this for functions that expect an object argument. |
JsonPath.entirePayload | reference the entire data object (equivalent to a path of $ ). |
JsonPath.taskToken | reference the Task Token, used for integration patterns that need to run for a long time. |
You can also call intrinsic functions using the methods on JsonPath
:
Method | Purpose |
---|---|
JsonPath.array(JsonPath.stringAt('$.Field'), ...) | make an array from other elements. |
JsonPath.format('The value is {}.', JsonPath.stringAt('$.Value')) | insert elements into a format string. |
JsonPath.stringToJson(JsonPath.stringAt('$.ObjStr')) | parse a JSON string to an object |
JsonPath.jsonToString(JsonPath.objectAt('$.Obj')) | stringify an object to a JSON string |
This library comes with a set of classes that model the Amazon States Language. The following State classes are supported:
An arbitrary JSON object (specified at execution start) is passed from state to state and transformed during the execution of the workflow. For more information, see the States Language spec.
A Task
represents some work that needs to be done. The exact work to be
done is determine by a class that implements IStepFunctionsTask
, a collection
of which can be found in the @aws-cdk/aws-stepfunctions-tasks
module.
The tasks in the @aws-cdk/aws-stepfunctions-tasks
module support the
service integration pattern that integrates Step Functions with services
directly in the Amazon States language.
A Pass
state passes its input to its output, without performing work.
Pass states are useful when constructing and debugging state machines.
The following example injects some fixed data into the state machine through
the result
field. The result
field will be added to the input and the result
will be passed as the state's output.
// Makes the current JSON state { ..., "subObject": { "hello": "world" } }
const pass = new sfn.Pass(this, 'Add Hello World', {
result: sfn.Result.fromObject({ hello: 'world' }),
resultPath: '$.subObject',
});
// Set the next state
const nextState = new sfn.Pass(this, 'NextState');
pass.next(nextState);
The Pass
state also supports passing key-value pairs as input. Values can
be static, or selected from the input with a path.
The following example filters the greeting
field from the state input
and also injects a field called otherData
.
const pass = new sfn.Pass(this, 'Filter input and inject data', {
parameters: { // input to the pass state
input: sfn.JsonPath.stringAt('$.input.greeting'),
otherData: 'some-extra-stuff',
},
});
The object specified in parameters
will be the input of the Pass
state.
Since neither Result
nor ResultPath
are supplied, the Pass
state copies
its input through to its output.
Learn more about the Pass state
A Wait
state waits for a given number of seconds, or until the current time
hits a particular time. The time to wait may be taken from the execution's JSON
state.
// Wait until it's the time mentioned in the the state object's "triggerTime"
// field.
const wait = new sfn.Wait(this, 'Wait For Trigger Time', {
time: sfn.WaitTime.timestampPath('$.triggerTime'),
});
// Set the next state
const startTheWork = new sfn.Pass(this, 'StartTheWork');
wait.next(startTheWork);
A Choice
state can take a different path through the workflow based on the
values in the execution's JSON state:
const choice = new sfn.Choice(this, 'Did it work?');
// Add conditions with .when()
const successState = new sfn.Pass(this, 'SuccessState');
const failureState = new sfn.Pass(this, 'FailureState');
choice.when(sfn.Condition.stringEquals('$.status', 'SUCCESS'), successState);
choice.when(sfn.Condition.numberGreaterThan('$.attempts', 5), failureState);
// Use .otherwise() to indicate what should be done if none of the conditions match
const tryAgainState = new sfn.Pass(this, 'TryAgainState');
choice.otherwise(tryAgainState);
If you want to temporarily branch your workflow based on a condition, but have
all branches come together and continuing as one (similar to how an if ... then ... else
works in a programming language), use the .afterwards()
method:
const choice = new sfn.Choice(this, 'What color is it?');
const handleBlueItem = new sfn.Pass(this, 'HandleBlueItem');
const handleRedItem = new sfn.Pass(this, 'HandleRedItem');
const handleOtherItemColor = new sfn.Pass(this, 'HanldeOtherItemColor');
choice.when(sfn.Condition.stringEquals('$.color', 'BLUE'), handleBlueItem);
choice.when(sfn.Condition.stringEquals('$.color', 'RED'), handleRedItem);
choice.otherwise(handleOtherItemColor);
// Use .afterwards() to join all possible paths back together and continue
const shipTheItem = new sfn.Pass(this, 'ShipTheItem');
choice.afterwards().next(shipTheItem);
If your Choice
doesn't have an otherwise()
and none of the conditions match
the JSON state, a NoChoiceMatched
error will be thrown. Wrap the state machine
in a Parallel
state if you want to catch and recover from this.
see step function comparison operators
Condition.isPresent
- matches if a json path is presentCondition.isNotPresent
- matches if a json path is not presentCondition.isString
- matches if a json path contains a stringCondition.isNotString
- matches if a json path is not a stringCondition.isNumeric
- matches if a json path is numericCondition.isNotNumeric
- matches if a json path is not numericCondition.isBoolean
- matches if a json path is booleanCondition.isNotBoolean
- matches if a json path is not booleanCondition.isTimestamp
- matches if a json path is a timestampCondition.isNotTimestamp
- matches if a json path is not a timestampCondition.isNotNull
- matches if a json path is not nullCondition.isNull
- matches if a json path is nullCondition.booleanEquals
- matches if a boolean field has a given valueCondition.booleanEqualsJsonPath
- matches if a boolean field equals a value in a given mapping pathCondition.stringEqualsJsonPath
- matches if a string field equals a given mapping pathCondition.stringEquals
- matches if a field equals a string valueCondition.stringLessThan
- matches if a string field sorts before a given valueCondition.stringLessThanJsonPath
- matches if a string field sorts before a value at given mapping pathCondition.stringLessThanEquals
- matches if a string field sorts equal to or before a given valueCondition.stringLessThanEqualsJsonPath
- matches if a string field sorts equal to or before a given mappingCondition.stringGreaterThan
- matches if a string field sorts after a given valueCondition.stringGreaterThanJsonPath
- matches if a string field sorts after a value at a given mapping pathCondition.stringGreaterThanEqualsJsonPath
- matches if a string field sorts after or equal to value at a given mapping pathCondition.stringGreaterThanEquals
- matches if a string field sorts after or equal to a given valueCondition.numberEquals
- matches if a numeric field has the given valueCondition.numberEqualsJsonPath
- matches if a numeric field has the value in a given mapping pathCondition.numberLessThan
- matches if a numeric field is less than the given valueCondition.numberLessThanJsonPath
- matches if a numeric field is less than the value at the given mapping pathCondition.numberLessThanEquals
- matches if a numeric field is less than or equal to the given valueCondition.numberLessThanEqualsJsonPath
- matches if a numeric field is less than or equal to the numeric value at given mapping pathCondition.numberGreaterThan
- matches if a numeric field is greater than the given valueCondition.numberGreaterThanJsonPath
- matches if a numeric field is greater than the value at a given mapping pathCondition.numberGreaterThanEquals
- matches if a numeric field is greater than or equal to the given valueCondition.numberGreaterThanEqualsJsonPath
- matches if a numeric field is greater than or equal to the value at a given mapping pathCondition.timestampEquals
- matches if a timestamp field is the same time as the given timestampCondition.timestampEqualsJsonPath
- matches if a timestamp field is the same time as the timestamp at a given mapping pathCondition.timestampLessThan
- matches if a timestamp field is before the given timestampCondition.timestampLessThanJsonPath
- matches if a timestamp field is before the timestamp at a given mapping pathCondition.timestampLessThanEquals
- matches if a timestamp field is before or equal to the given timestampCondition.timestampLessThanEqualsJsonPath
- matches if a timestamp field is before or equal to the timestamp at a given mapping pathCondition.timestampGreaterThan
- matches if a timestamp field is after the timestamp at a given mapping pathCondition.timestampGreaterThanJsonPath
- matches if a timestamp field is after the timestamp at a given mapping pathCondition.timestampGreaterThanEquals
- matches if a timestamp field is after or equal to the given timestampCondition.timestampGreaterThanEqualsJsonPath
- matches if a timestamp field is after or equal to the timestamp at a given mapping pathCondition.stringMatches
- matches if a field matches a string pattern that can contain a wild card (*) e.g: log-*.txt or *LATEST*. No other characters other than "*" have any special meaning - * can be escaped: \\*A Parallel
state executes one or more subworkflows in parallel. It can also
be used to catch and recover from errors in subworkflows.
const parallel = new sfn.Parallel(this, 'Do the work in parallel');
// Add branches to be executed in parallel
const shipItem = new sfn.Pass(this, 'ShipItem');
const sendInvoice = new sfn.Pass(this, 'SendInvoice');
const restock = new sfn.Pass(this, 'Restock');
parallel.branch(shipItem);
parallel.branch(sendInvoice);
parallel.branch(restock);
// Retry the whole workflow if something goes wrong
parallel.addRetry({ maxAttempts: 1 });
// How to recover from errors
const sendFailureNotification = new sfn.Pass(this, 'SendFailureNotification');
parallel.addCatch(sendFailureNotification);
// What to do in case everything succeeded
const closeOrder = new sfn.Pass(this, 'CloseOrder');
parallel.next(closeOrder);
Reaching a Succeed
state terminates the state machine execution with a
successful status.
const success = new sfn.Succeed(this, 'We did it!');
Reaching a Fail
state terminates the state machine execution with a
failure status. The fail state should report the reason for the failure.
Failures can be caught by encompassing Parallel
states.
const success = new sfn.Fail(this, 'Fail', {
error: 'WorkflowFailure',
cause: "Something went wrong",
});
A Map
state can be used to run a set of steps for each element of an input array.
A Map
state will execute the same steps for multiple entries of an array in the state input.
While the Parallel
state executes multiple branches of steps using the same input, a Map
state will
execute the same steps for multiple entries of an array in the state input.
const map = new sfn.Map(this, 'Map State', {
maxConcurrency: 1,
itemsPath: sfn.JsonPath.stringAt('$.inputForMap'),
});
map.iterator(new sfn.Pass(this, 'Pass State'));
It's possible that the high-level constructs for the states or stepfunctions-tasks
do not have
the states or service integrations you are looking for. The primary reasons for this lack of
functionality are:
If a feature is not available, a CustomState
can be used to supply any Amazon States Language
JSON-based object as the state definition.
Code Snippets are available and can be plugged in as the state definition.
Custom states can be chained together with any of the other states to create your state machine
definition. You will also need to provide any permissions that are required to the role
that
the State Machine uses.
The following example uses the DynamoDB
service integration to insert data into a DynamoDB table.
import * as dynamodb from '@aws-cdk/aws-dynamodb';
// create a table
const table = new dynamodb.Table(this, 'montable', {
partitionKey: {
name: 'id',
type: dynamodb.AttributeType.STRING,
},
});
const finalStatus = new sfn.Pass(this, 'final step');
// States language JSON to put an item into DynamoDB
// snippet generated from https://docs.aws.amazon.com/step-functions/latest/dg/tutorial-code-snippet.html#tutorial-code-snippet-1
const stateJson = {
Type: 'Task',
Resource: 'arn:aws:states:::dynamodb:putItem',
Parameters: {
TableName: table.tableName,
Item: {
id: {
S: 'MyEntry',
},
},
},
ResultPath: null,
};
// custom state which represents a task to insert data into DynamoDB
const custom = new sfn.CustomState(this, 'my custom task', {
stateJson,
});
const chain = sfn.Chain.start(custom)
.next(finalStatus);
const sm = new sfn.StateMachine(this, 'StateMachine', {
definition: chain,
timeout: Duration.seconds(30),
});
// don't forget permissions. You need to assign them
table.grantWriteData(sm);
To make defining work flows as convenient (and readable in a top-to-bottom way)
as writing regular programs, it is possible to chain most methods invocations.
In particular, the .next()
method can be repeated. The result of a series of
.next()
calls is called a Chain, and can be used when defining the jump
targets of Choice.on
or Parallel.branch
:
const step1 = new sfn.Pass(this, 'Step1');
const step2 = new sfn.Pass(this, 'Step2');
const step3 = new sfn.Pass(this, 'Step3');
const step4 = new sfn.Pass(this, 'Step4');
const step5 = new sfn.Pass(this, 'Step5');
const step6 = new sfn.Pass(this, 'Step6');
const step7 = new sfn.Pass(this, 'Step7');
const step8 = new sfn.Pass(this, 'Step8');
const step9 = new sfn.Pass(this, 'Step9');
const step10 = new sfn.Pass(this, 'Step10');
const choice = new sfn.Choice(this, 'Choice');
const condition1 = sfn.Condition.stringEquals('$.status', 'SUCCESS');
const parallel = new sfn.Parallel(this, 'Parallel');
const finish = new sfn.Pass(this, 'Finish');
const definition = step1
.next(step2)
.next(choice
.when(condition1, step3.next(step4).next(step5))
.otherwise(step6)
.afterwards())
.next(parallel
.branch(step7.next(step8))
.branch(step9.next(step10)))
.next(finish);
new sfn.StateMachine(this, 'StateMachine', {
definition,
});
If you don't like the visual look of starting a chain directly off the first
step, you can use Chain.start
:
const step1 = new sfn.Pass(this, 'Step1');
const step2 = new sfn.Pass(this, 'Step2');
const step3 = new sfn.Pass(this, 'Step3');
const definition = sfn.Chain
.start(step1)
.next(step2)
.next(step3)
// ...
It is possible to define reusable (or abstracted) mini-state machines by
defining a construct that implements IChainable
, which requires you to define
two fields:
startState: State
, representing the entry point into this state machine.endStates: INextable[]
, representing the (one or more) states that outgoing
transitions will be added to if you chain onto the fragment.Since states will be named after their construct IDs, you may need to prefix the IDs of states if you plan to instantiate the same state machine fragment multiples times (otherwise all states in every instantiation would have the same name).
The class StateMachineFragment
contains some helper functions (like
prefixStates()
) to make it easier for you to do this. If you define your state
machine as a subclass of this, it will be convenient to use:
import { Stack } from '@aws-cdk/core';
import { Construct } from 'constructs';
import * as sfn from '@aws-cdk/aws-stepfunctions';
interface MyJobProps {
jobFlavor: string;
}
class MyJob extends sfn.StateMachineFragment {
public readonly startState: sfn.State;
public readonly endStates: sfn.INextable[];
constructor(parent: Construct, id: string, props: MyJobProps) {
super(parent, id);
const choice = new sfn.Choice(this, 'Choice')
.when(sfn.Condition.stringEquals('$.branch', 'left'), new sfn.Pass(this, 'Left Branch'))
.when(sfn.Condition.stringEquals('$.branch', 'right'), new sfn.Pass(this, 'Right Branch'));
// ...
this.startState = choice;
this.endStates = choice.afterwards().endStates;
}
}
class MyStack extends Stack {
constructor(scope: Construct, id: string) {
super(scope, id);
// Do 3 different variants of MyJob in parallel
const parallel = new sfn.Parallel(this, 'All jobs')
.branch(new MyJob(this, 'Quick', { jobFlavor: 'quick' }).prefixStates())
.branch(new MyJob(this, 'Medium', { jobFlavor: 'medium' }).prefixStates())
.branch(new MyJob(this, 'Slow', { jobFlavor: 'slow' }).prefixStates());
new sfn.StateMachine(this, 'MyStateMachine', {
definition: parallel,
});
}
}
A few utility functions are available to parse state machine fragments.
State.findReachableStates
: Retrieve the list of states reachable from a given state.State.findReachableEndStates
: Retrieve the list of end or terminal states reachable from a given state.Activities represent work that is done on some non-Lambda worker pool. The Step Functions workflow will submit work to this Activity, and a worker pool that you run yourself, probably on EC2, will pull jobs from the Activity and submit the results of individual jobs back.
You need the ARN to do so, so if you use Activities be sure to pass the Activity ARN into your worker pool:
const activity = new sfn.Activity(this, 'Activity');
// Read this CloudFormation Output from your application and use it to poll for work on
// the activity.
new CfnOutput(this, 'ActivityArn', { value: activity.activityArn });
Granting IAM permissions to an activity can be achieved by calling the grant(principal, actions)
API:
const activity = new sfn.Activity(this, 'Activity');
const role = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});
activity.grant(role, 'states:SendTaskSuccess');
This will grant the IAM principal the specified actions onto the activity.
Task
object expose various metrics on the execution of that particular task. For example,
to create an alarm on a particular task failing:
declare const task: sfn.Task;
new cloudwatch.Alarm(this, 'TaskAlarm', {
metric: task.metricFailed(),
threshold: 1,
evaluationPeriods: 1,
});
There are also metrics on the complete state machine:
declare const stateMachine: sfn.StateMachine;
new cloudwatch.Alarm(this, 'StateMachineAlarm', {
metric: stateMachine.metricFailed(),
threshold: 1,
evaluationPeriods: 1,
});
And there are metrics on the capacity of all state machines in your account:
new cloudwatch.Alarm(this, 'ThrottledAlarm', {
metric: sfn.StateTransitionMetric.metricThrottledEvents(),
threshold: 10,
evaluationPeriods: 2,
});
Step Functions identifies errors in the Amazon States Language using case-sensitive strings, known as error names.
The Amazon States Language defines a set of built-in strings that name well-known errors, all beginning with the States.
prefix.
States.ALL
- A wildcard that matches any known error name.States.Runtime
- An execution failed due to some exception that could not be processed. Often these are caused by errors at runtime, such as attempting to apply InputPath or OutputPath on a null JSON payload. A States.Runtime
error is not retriable, and will always cause the execution to fail. A retry or catch on States.ALL
will NOT catch States.Runtime errors.States.DataLimitExceeded
- A States.DataLimitExceeded exception will be thrown for the following:
States.HeartbeatTimeout
- A Task state failed to send a heartbeat for a period longer than the HeartbeatSeconds value.States.Timeout
- A Task state either ran longer than the TimeoutSeconds value, or failed to send a heartbeat for a period longer than the HeartbeatSeconds value.States.TaskFailed
- A Task state failed during the execution. When used in a retry or catch, States.TaskFailed
acts as a wildcard that matches any known error name except for States.Timeout
.Enable logging to CloudWatch by passing a logging configuration with a destination LogGroup:
import * as logs from '@aws-cdk/aws-logs';
const logGroup = new logs.LogGroup(this, 'MyLogGroup');
new sfn.StateMachine(this, 'MyStateMachine', {
definition: sfn.Chain.start(new sfn.Pass(this, 'Pass')),
logs: {
destination: logGroup,
level: sfn.LogLevel.ALL,
},
});
Enable X-Ray tracing for StateMachine:
new sfn.StateMachine(this, 'MyStateMachine', {
definition: sfn.Chain.start(new sfn.Pass(this, 'Pass')),
tracingEnabled: true,
});
See the AWS documentation to learn more about AWS Step Functions's X-Ray support.
IAM roles, users, or groups which need to be able to work with a State Machine should be granted IAM permissions.
Any object that implements the IGrantable
interface (has an associated principal) can be granted permissions by calling:
stateMachine.grantStartExecution(principal)
- grants the principal the ability to execute the state machinestateMachine.grantRead(principal)
- grants the principal read accessstateMachine.grantTaskResponse(principal)
- grants the principal the ability to send task tokens to the state machinestateMachine.grantExecution(principal, actions)
- grants the principal execution-level permissions for the IAM actions specifiedstateMachine.grant(principal, actions)
- grants the principal state-machine-level permissions for the IAM actions specifiedGrant permission to start an execution of a state machine by calling the grantStartExecution()
API.
const role = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});
declare const definition: sfn.IChainable;
const stateMachine = new sfn.StateMachine(this, 'StateMachine', {
definition,
});
// Give role permission to start execution of state machine
stateMachine.grantStartExecution(role);
The following permission is provided to a service principal by the grantStartExecution()
API:
states:StartExecution
- to state machineGrant read
access to a state machine by calling the grantRead()
API.
const role = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});
declare const definition: sfn.IChainable;
const stateMachine = new sfn.StateMachine(this, 'StateMachine', {
definition,
});
// Give role read access to state machine
stateMachine.grantRead(role);
The following read permissions are provided to a service principal by the grantRead()
API:
states:ListExecutions
- to state machinestates:ListStateMachines
- to state machinestates:DescribeExecution
- to executionsstates:DescribeStateMachineForExecution
- to executionsstates:GetExecutionHistory
- to executionsstates:ListActivities
- to *
states:DescribeStateMachine
- to *
states:DescribeActivity
- to *
Grant permission to allow task responses to a state machine by calling the grantTaskResponse()
API:
const role = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});
declare const definition: sfn.IChainable;
const stateMachine = new sfn.StateMachine(this, 'StateMachine', {
definition,
});
// Give role task response permissions to the state machine
stateMachine.grantTaskResponse(role);
The following read permissions are provided to a service principal by the grantRead()
API:
states:SendTaskSuccess
- to state machinestates:SendTaskFailure
- to state machinestates:SendTaskHeartbeat
- to state machineGrant execution-level permissions to a state machine by calling the grantExecution()
API:
const role = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});
declare const definition: sfn.IChainable;
const stateMachine = new sfn.StateMachine(this, 'StateMachine', {
definition,
});
// Give role permission to get execution history of ALL executions for the state machine
stateMachine.grantExecution(role, 'states:GetExecutionHistory');
You can add any set of permissions to a state machine by calling the grant()
API.
const user = new iam.User(this, 'MyUser');
declare const definition: sfn.IChainable;
const stateMachine = new sfn.StateMachine(this, 'StateMachine', {
definition,
});
//give user permission to send task success to the state machine
stateMachine.grant(user, 'states:SendTaskSuccess');
Any Step Functions state machine that has been created outside the stack can be imported into your CDK stack.
State machines can be imported by their ARN via the StateMachine.fromStateMachineArn()
API
const app = new App();
const stack = new Stack(app, 'MyStack');
sfn.StateMachine.fromStateMachineArn(
stack,
'ImportedStateMachine',
'arn:aws:states:us-east-1:123456789012:stateMachine:StateMachine2E01A3A5-N5TJppzoevKQ',
);
FAQs
The CDK Construct Library for AWS::StepFunctions
The npm package @aws-cdk/aws-stepfunctions receives a total of 42,455 weekly downloads. As such, @aws-cdk/aws-stepfunctions popularity was classified as popular.
We found that @aws-cdk/aws-stepfunctions demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.