Skip to content

Commit fb11dfc

Browse files
author
Samphire Reeve
committed
Updated readme to have more detail around IAM roles
1 parent 655c4e8 commit fb11dfc

File tree

1 file changed

+31
-3
lines changed

1 file changed

+31
-3
lines changed

README.md

Lines changed: 31 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -981,7 +981,9 @@ Run `sls deploy`, the defined Stepfunctions are deployed.
981981

982982
## IAM Role
983983

984-
The IAM roles required to run Statemachine are automatically generated. It is also possible to specify ARN directly.
984+
The IAM roles required to run Statemachine are automatically generated for the state machines lambda, with the policy name of `StatesExecutionPolicy-<environment>`. This is given the default permissions of allowing lambda InvokeFunction.
985+
986+
However, it is also possible to specify ARN directly.
985987

986988
Here's an example:
987989

@@ -993,7 +995,10 @@ stepFunctions:
993995
definition:
994996
```
995997

996-
It is also possible to use the [CloudFormation intrinsic functions](https://docs.aws.amazon.com/en_en/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference.html) to reference resources from elsewhere:
998+
It is also possible to use the [CloudFormation intrinsic functions](https://docs.aws.amazon.com/en_en/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference.html) to reference resources from elsewhere. This allows for another IAM Role to be created and
999+
1000+
1001+
Example:
9971002

9981003
```yml
9991004
stepFunctions:
@@ -1009,7 +1014,30 @@ resources:
10091014
StateMachineRole:
10101015
Type: AWS::IAM::Role
10111016
Properties:
1012-
...
1017+
RoleName: role
1018+
Path: /lambda_roles/
1019+
AssumeRolePolicyDocument:
1020+
Statement:
1021+
- Effect: Allow
1022+
Principal:
1023+
Service:
1024+
- states.amazonaws.com
1025+
Action:
1026+
- sts:AssumeRole
1027+
Policies:
1028+
- PolicyName: statePolicy
1029+
PolicyDocument:
1030+
Version: version
1031+
Statement:
1032+
- Effect: Allow
1033+
Action:
1034+
- lambda:InvokeFunction
1035+
Resource: "*"
1036+
- Effect: Allow
1037+
Action:
1038+
- sqs:SendMessage
1039+
Resource:
1040+
- arn:aws:sqs::xxxxxxxx:queueName
10131041
```
10141042

10151043
The short form of the intrinsic functions (i.e. `!Sub`, `!Ref`) is not supported at the moment.

0 commit comments

Comments
 (0)