'Error Creating AWS Step Function on Local Docker using dotNet Api CreateStateMachineAsync: "Cross-account pass role is not allowed."

I'm trying to create a step function locally using the AWS StepFunctions SDK, but am getting the following exception: Amazon.StepFunctions.AmazonStepFunctionsException: 'Cross-account pass role is not allowed.' in the call to CreateStateMachineAsync. Here are some relevant facts:

  • Using Visual Studio 2019, C#, and dotnet 3.1 on Windows 10
  • SDK from Nuget Pkg AWSSDK.StepFunctions (3.7.0.103)
  • Docker version 20.10.8
  • SAM CLI version 1.35.0
  • Step functions local on Docker
  • The step function code works fine when deployed to AWS

I started the docker version of StepFunctions as shown in the docs with the following output which shows my settings

C:\outcode\LocalStepFunctions>docker run -p 8083:8083 --env-file dockerConfig.txt amazon/aws-stepfunctions-local
Step Functions Local
Version: 1.7.9
Build: 2021-06-24
2021-11-29 15:47:25.557: Configure [AWS_ACCOUNT_ID] to [999999999999]
2021-11-29 15:47:25.558: Configure [AWS_DEFAULT_REGION] to [us-west-2]
2021-11-29 15:47:25.559: Configure [LAMBDA_ENDPOINT] to [lambda.us-west-2.amazonaws.com]
2021-11-29 15:47:25.559: Configure [BATCH_ENDPOINT] to [batch.us-west-2.amazonaws.com]
2021-11-29 15:47:25.559: Configure [DYNAMODB_ENDPOINT] to [dynamodb.us-west-2.amazonaws.com]
2021-11-29 15:47:25.560: Configure [ECS_ENDPOINT] to [ecs.us-west-2.amazonaws.com]
2021-11-29 15:47:25.560: Configure [GLUE_ENDPOINT] to [glue.us-west-2.amazonaws.com]
2021-11-29 15:47:25.561: Configure [SQS_ENDPOINT] to [sqs.us-west-2.amazonaws.com]
2021-11-29 15:47:25.561: Configure [SNS_ENDPOINT] to [sns.us-west-2.amazonaws.com]
2021-11-29 15:47:25.561: Configure [STEP_FUNCTIONS_ENDPOINT] to [states.us-west-2.amazonaws.com]
2021-11-29 15:47:25.562: Configure [WAIT_TIME_SCALE] to [0]
2021-11-29 15:47:25.566: Scale of wait time is set to 0.000000
2021-11-29 15:47:25.587: Loaded credentials from environment
2021-11-29 15:47:25.588: Starting server on port 8083 with account 999999999999, region us-west-2
Nov 29, 2021 3:47:27 PM com.amazonaws.internal.DefaultServiceEndpointBuilder getServiceEndpoint
INFO: {databrew, us-west-2} was not found in region metadata, trying to construct an endpoint using the standard pattern for this region: 'databrew.us-west-2.amazonaws.com'.

I'm able to execute an equivalent command line with a simple state machine definition like this using the Windows command shell (cmd.exe). The command and response are shown below

C:\code\asset-requests>aws stepfunctions --endpoint http://localhost:8083 create-state-machine  --name "HelloWorld" --role-arn "arn:aws:iam::012345678901:role/DummyRole" --definition  "{\"StartAt\": \"Hello\", \"States\": {\"Hello\": {\"Type\": \"Pass\", \"Result\": \"Hello\", \"End\": true }}}"
{
    "stateMachineArn": "arn:aws:states:us-west-2:583684448093:stateMachine:HelloWorld",
    "creationDate": "2021-11-29T07:23:53.426000-08:00"
}

However, because of the 8K byte limit on arguments in cmd.exe, I can't use it for my production state machine.

I tried using Powershell, but it's not ideal for my current application and I wasn't able to get the escaping to work right.

The following code reproduces the error ..

using Amazon.StepFunctions;
using Amazon.StepFunctions.Model;
using System;
using System.Collections.Generic;
using System.Threading.Tasks;

namespace ErrorDemo
{
    class Program
    {
        static async Task Main(string[] args)
        {
            var request = new CreateStateMachineRequest();
            request.Definition = "{\"StartAt\": \"Hello\", \"States\": {\"Hello\": {\"Type\": \"Pass\", \"Result\": \"Hello\", \"End\": true }}}";
            request.LoggingConfiguration = new LoggingConfiguration();
            request.Name = "MinimalStepFxn";
            request.RoleArn = "arn:aws:iam::012345678901:role/DummyRole";
            request.Tags = new List<Tag>();
            request.TracingConfiguration = new TracingConfiguration();
            request.Type = StateMachineType.STANDARD;


            var client = new AmazonStepFunctionsClient();
            var result = await client.CreateStateMachineAsync(request);
            Console.WriteLine(result.StateMachineArn);
        }
    }
}
aws-step-functions


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Aws step functions - Resume from failed step function activity instead of starting a new execution

AWS Step Functions Consuming messages from SQS

How to execute a lambda function which copies objects from one S3 bucket to another via Step functions?

What is the AWS Service Principal value for stepfunction?

Pass multiple inputs into Map State in AWS Step Function

Global variable alternative in a AWS Step Function execution

SerializationException:Start of structure or map found where not expected: API Gateway to Step function

Is there any way to read the contents of an S3 file from an AWS Step Function?

AWS StepFunction: end root Stepfunction execution from async execution

AWS StepFunction: end root Stepfunction execution from async execution

AWS EMR: Enable auto-termination-policy in cloudformation

Getting authorizer context from Step Function executed from API Gateway

Unformatted date time in response from step function execution history

Why aren't HTTP Headers passed from AWS API Gateway to Step functions

Two-Phase Starting of an AWS Step Function?