IamRoleStateMachineExecution - Policy statement must contain resources

Serverless Framework
1

I have the following serverless configuration file and I keep getting this error. I have no clue what to do. Please point me to what am I doing wrong.

An error occurred: IamRoleStateMachineExecution - Policy statement must contain resources. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 1306e9e2-aa17-11e8-990a-1bb7f9dda8ba).

service: abc

plugins:
  - serverless-step-functions
  - serverless-pseudo-parameters

provider:
  name: aws
  runtime: go1.x
  timeout: 30
  region: eu-west-1
  apiKeys:
    - ${opt:stage}

  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "s3:GetObject"
        - "s3:PutObject"
        - "s3:DeleteObject"
        - "logs:FilterLogEvents"
      Resource: "*"

package:
 exclude:
   - ./**
 include:
   - ./create-task-fn
   - ./s3-ftp-upload-fn
   - ./${opt:stage}.config.json

functions:
  CreateTask:
    handler: create-task-fn
    memorySize: 192
    environment:
      # Cloudwatch region
      REGION: ${self:provider.region}
      CONFIG: ${opt:stage}.config.json
  S3FtpUpload:
    handler: s3-ftp-upload-fn
    memorySize: 256
    environment:
      CONFIG: ${opt:stage}.config.json


stepFunctions:
  stateMachines:
    abc:
      events:
        - http:
            path: /
            method: post
      name: Abc
      definition:
        Comments: "Abc Step function reads logs from cloudwatch, Process them and uploads them to a FTP server"
        StartAt: CreateTask
        States:
          CreateTask:
            Type: Task
            Resource: "arn:aws:lambda:${self:provider.region}:#{AWS::AccountId}:function:${self:service}-${opt:stage}-CreateTask"
            Next: S3FtpUpload
          S3FtpUpload:
            Type: Task
            Resource: "arn:aws:lambda:${self:provider.region}:#{AWS::AccountId}:function:${self:service}-${opt:stage}-S3FtpUpload"
            End: true

resources:
  Resources:
    CreateTaskTempBucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: create-task-temp-store
2

I’ve just run into this error message as well on a project where I’m also using:

plugins:
  - serverless-step-functions
  - serverless-pseudo-parameters

This is a serverless project that was working just fine, have deployed multiple times recently without any issue. I made a minor code change and now I’m hitting this when I try to deploy. It seems like something changed behind the scenes, but I’m not sure where…

Thanks in advance if anyone has any clues as to what’s going on.

3

It looks like back-revving serverless-step-functions to version 1.6.1 resolves this issue for me. Looking through the logs in github, this changeset seems a likely candidate:

… since it’s related to IAM role (according to the comments).

4

I have logged this issue in the plugin’s Github-

1 Like
5

Thanks. I added some more detail to the bug report…

6

Thank you so much. I pinned serverless-step-functions to 1.6.1 and everything worked just fine.

1 Like
7

It looks like there was a new release that fixes this - but I haven’t tried it myself yet…

8

I tried with the 1.7.2 release (latest tagged release as of today), and still encountered this issue. But I can also confirm that pinning serverless-step-functions to 1.6.1 does work.

1 Like
9

I was having the same error and it worked with serverless-step-functions@1.6.1