If you have ever received the following error is not authorized to create managed-rule when running a Step Function through Terraform’s AWS Provider, then you may have jumped through many different hoops trying to figure out what was wrong.

What is the Quick Fix?

Open the role in IAM and attach the CloudWatchEventsFullAccess AWS managed policy to the permissions policies.

Need More Information?

IAM Role Principal Policy required to AssumeRole

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

{
    "Version" : "2012-10-17",
    "Statement" : [
        {
        "Effect" : "Allow",
        "Principal" : {
            "Service" : "states.amazonaws.com"
        },
        "Action" : "sts:AssumeRole"
        }
    ]
}

IAM Role Policy GetEvents For StepFunctions Execution Rule

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

{
    "Effect": "Allow",
    "Action": [
        "events:PutTargets",
        "events:PutRule",
        "events:DescribeRule"
    ],
    "Resource": [
        "arn:aws:events:[[region]]:[[account]]:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule"
    ]
}

IAM Role Policy under StepFunctions CloudFormation

1
2
3
4
5
6
7

- Effect: Allow
  Action:
  - events:PutTargets
  - events:PutRule
  - events:DescribeRule
  Resource: 
  - !Sub arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/StepFunctionsGetEventsForStepFunctionsExecutionRule

If you need to limit it to a resource, then StepFunctionsGetEventsForStepFunctionsExecutionRule is the one you’re looking for!