Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-stepfunction: Failed to create correct IAM role for step function #33580

Closed
1 task
jalencato opened this issue Feb 25, 2025 · 3 comments · Fixed by #33670
Closed
1 task

aws-stepfunction: Failed to create correct IAM role for step function #33580

jalencato opened this issue Feb 25, 2025 · 3 comments · Fixed by #33670
Assignees
@scorbiere
Labels
@aws-cdk/aws-stepfunctions Related to AWS StepFunctions bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@jalencato
Copy link

Describe the bug

When trying the code here:

submit_training_job = tasks.BatchSubmitJob(
    self, "Sample Training Job",
    job_definition_arn=sfn.JsonPath.string_at("$.trainingJob.jobDefinitionArn"),
    job_name=sfn.JsonPath.string_at("$.trainingJob.jobName"),
    job_queue_arn=sfn.JsonPath.string_at("$.trainingJob.jobQueueArn"),
    result_path="$.trainingJobResult"
)

chain = submit_training_job.next(submit_inference_job)

state_machine = sfn.StateMachine(
    self, "SamplePipeline",
    definition_body=sfn.DefinitionBody.from_chainable(chain)
)

I am just building a step function to submit a batch job with dynamic parameter values by using payload during submit time.

However, when deploying the resource, the code above is trying to create one IAM role with following resources:

Resource                                       Effect      Action                             Principal
$.inferenceJob.jobQueueArn      Allow       Batch:SubmitJob           xxxx

$.inferenceJob.jobQueueArn cannot be retrieved so it will lead to an error. How to handle this case?

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.1000.2

Expected Behavior

I assume the role will be deployed correctly. Even if it did not add correct rules, at least it deployed the rules successfully.

Current Behavior

It will throw an error saying:

Refine sentense:        # Do not use $.trainingJob.jobQueue for the job queue because it will 
        # lead to an error when creating associated error in the iam role.

Reproduction Steps

Copy the code above and deploy and it will see the error.

Possible Solution

Anyway we can ban the step function cdk to create the role itself? We can use our own rules this way.

Additional Information/Context

No response

CDK CLI Version

2.1000.2

Framework Version

No response

Node.js Version

21

OS

macos

Language

Python

Language Version

3.9

Other information

No response
@jalencato jalencato added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 25, 2025
@github-actions github-actions bot added the @aws-cdk/aws-stepfunctions Related to AWS StepFunctions label Feb 25, 2025
@pahud pahud self-assigned this Feb 25, 2025
@pahud
Copy link
Contributor

pahud commented Feb 25, 2025

The issue is in the configurePolicyStatements() method of the BatchSubmitJob class. Unlike other task implementations, it doesn't check if jobQueueArn is a JsonPath expression. The fix would be to modify this method to check if jobQueueArn is a JsonPath expression, and if so, use a wildcard (*) instead:

aws-cdk/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/batch/submit-job.ts

Line 320 in 9ac3084

this.props.jobQueueArn,

@pahud pahud removed their assignment Feb 25, 2025
@pahud pahud added p1 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Feb 25, 2025
@github-actions github-actions bot mentioned this issue Mar 1, 2025
Open
@phuhung273 phuhung273 mentioned this issue Mar 2, 2025
Merged
1 task
@jalencato
Copy link
Author

Do we have any plans to merge this PR recently?

@scorbiere scorbiere self-assigned this Mar 17, 2025
@mergify mergify bot closed this as completed in #33670 Mar 18, 2025
mergify bot pushed a commit that referenced this issue Mar 18, 2025
@phuhung273
fix(stepfunctions-tasks): jobQueueArn support JsonPath or JSONata (#3…

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
Loading
Loading status checks…
1c09c8b 
…3670)

### Issue # (if applicable)

Closes #33580

### Reason for this change
Incorrect IAM Policy for jobQueueArn when using JsonPath or JSONata

### Description of changes
For JsonPath or JSONata `jobQueueArn`, IAM Policy use wildcard (*)

### Describe any new or updated permissions being added
For JsonPath or JSONata `jobQueueArn`, IAM Policy use wildcard (*)

### Description of how you validated changes
Unit test

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 18, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@scorbiere scorbiere

Labels
@aws-cdk/aws-stepfunctions Related to AWS StepFunctions bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(stepfunctions-tasks): jobQueueArn support JsonPath or JSONata phuhung273/aws-cdk
3 participants
@pahud @scorbiere @jalencato