How do I resolve "not authorized to assume the provided role" errors in AWS Step Functions?

2 minute read

When I try to run my AWS Step Functions state machine, I receive the error: "Neither the global service principal states.amazonaws.com, nor the regional one is authorized to assume the provided role."

Resolution

Verify that you configured the required trust relationships for the IAM role that your state machine assumes

One of the following endpoints must be listed as a trusted entity in the AWS Identity and Access Management (IAM) role's trust policy:

An AWS Regional endpoint: states.region.amazonaws.com
The AWS global endpoint: states.amazonaws.com

Use the IAM console to update the IAM role's trust policy so that the policy includes one of the preceding endpoints.

Note: When you call the StartExecution API action, Step Functions uses the IAM role that's associated with the state machine during the API action's runtime. If you change the IAM role during the action's runtime, then Step Functions doesn't use the IAM role on the API action.

Verify that the IAM role that your state machine assumes still exists

Complete the following steps:

Open the Step Functions console.
In the navigation pane, choose State machines.
For Names, choose the name of your state machine.
In the Details section, choose the link under IAM role ARN. If the IAM role exists, then the role opens on the IAM console. If the IAM role doesn't exist, then the IAM console opens a page that says No Entity Found.

If the IAM role that your state machine assumes doesn't exist, then create a new IAM role that includes the required permissions. Then, configure your state machine to assume the new IAM role.
Important: The new IAM role must have a different name from the previous IAM role.

For more information, see How AWS Step Functions works with IAM.

Related information

Create a serverless workflow with AWS Step Functions and AWS Lambda

Topics: Application Integration Serverless
Tags: AWS Step Functions
Language: English

AWS OFFICIALUpdated 2 years ago

2 Comments

Hello everyone, yesterday I was trying to use a sourceARN condition as specified in the officital documentation here, my code is exactly that. Seems there's a bug there if we trust this stackoverflow article. I haven't used AWS in some years so, is there a way to get an official bug report or anyting like that?

Alvaro

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

EXPERT

AWS Official

replied 2 years ago

Relevant content

Step function IAM role on initial creation does not give S3 Put Object on the bucket, where you store manifest. You have to assign this role manually.
AG
asked a year ago
My Step Function user role is giving an error for an AWS tutorial I am following.
Christian
asked 4 years ago
How to set up IAM roles/policies to run Fargate tasks inside a step function?
mstone-modulus
asked 4 years ago
Initializer step function is failing due to IAM error
Mahmoud
asked 2 years ago
Issue with Assuming Role in AWS using GitHub Actions: 'Not authorized to perform sts ' Error
Tatev
asked 2 years ago
How do I troubleshoot the CloudFormation error "The role defined for the function cannot be assumed by Lambda"?
AWS OFFICIALUpdated 2 years ago
How do I resolve the "Lambda could not update the function's execution role" error when attaching Amazon RDS Proxy to a Lambda function?
AWS OFFICIALUpdated 4 years ago
How do I configure a Lambda function to assume an IAM role in another AWS account?
AWS OFFICIALUpdated a year ago
How do I troubleshoot IAM "AccessDenied" or "Not authorized to perform AssumeRoleWithWebIdentity" federation errors from my identity provider?
AWS OFFICIALUpdated 2 years ago
How to Configure AWS IAM SAML 2.0 Federation with Microsoft Entra ID for Single-Account Access
EXPERT
Talal-Shobaita
published 22 days ago