How to Fix “is not authorized to create managed-rule” in AWS Step Functions

If you have ever received the following error is not authorized to create managed-rule when running a Step Function through Terraform’s AWS Provider, then you may have jumped through many different hoops trying to figure out what was wrong.

What is the Quick Fix?

Open the role in IAM and attach the CloudWatchEventsFullAccess AWS managed policy to the permissions policies.

Need More Information?

IAM Role Principal Policy required to AssumeRole

{ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "Service" : "states.amazonaws.com" }, "Action" : "sts:AssumeRole" } ] }
Code language: JSON / JSON with Comments (json)

IAM Role Policy GetEvents For StepFunctions Execution Rule

{ "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]:[[account]]:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule" ] }
Code language: JSON / JSON with Comments (json)

IAM Role Policy under StepFunctions CloudFormation

- Effect: Allow Action: - events:PutTargets - events:PutRule - events:DescribeRule Resource: - !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule
Code language: YAML (yaml)

If you need to limit it to a resource, then StepFunctionsGetEventsForStepFunctionsExecutionRule is the one you’re looking for!

Tags:
Subscribe
Notify of
guest
1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Ray
Ray
6 months ago

<3 Thankyou! This saved a lot of trial and error.