Question - Is there an easy way to get authorized to perform: states:StartExecution?

[josoroma-zz]

Calling stepfunctions.startExecution(params).promise() from a express route/controller is giving me this exception:

{
"message": "User: arn:aws:sts::3333333333:assumed-role/tf-ourservice-development-lambda-execution/sls-ourservice-development-api is not authorized to perform: states:StartExecution on resource: arn:aws:states:us-east-1:3333333333:stateMachine:generateCourse",
"code": "AccessDeniedException",
"time": "2019-09-27T15:44:01.864Z",
"requestId": "c0c52ee3-fa60-4f49-9b3f-90608696004b",
"statusCode": 400,
"retryable": false,
"retryDelay": 70.21923469758191
}

route/controller

  getZipById(req, res) {
    return Course.findOne({ where: { id: req.params.id } })
      .then(async (course) => {
        let generateCourseWorkflowArn = process.env.GENERATE_COURSE_ARN;

        if (process.env.STAGE === "localdev") {
          generateCourseWorkflowArn = "arn:aws:states:us-east-1:3333333333:stateMachine:GenerateCourse";
        }

        const params = {
          name: `StateMachineGenerateCourse${uuidv4()}`,
          stateMachineArn: generateCourseWorkflowArn,
          input: JSON.stringify({course: course.dataValues})
        };

        try {
          const data = await stepfunctions.startExecution(params).promise();
        } catch (e) {
          res.status(400).send(e);
        }
      })
      .catch((error) => res.status(400).send(error));
  },

serverless.yml

provider:
...
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "states:*"
      Resource:
        - ${self:resources.Outputs.GenerateCourse.Value}

functions:
  api:
    handler: src/server/api.handler
    environment:
      GENERATE_COURSE_ARN: ${self:resources.Outputs.GenerateCourse.Value}
      DATABASE_ENDPOINT: ${self:custom.environment.databaseEndpoint}
      DATABASE_USER: ${self:custom.environment.databaseUser}
      DATABASE_PASSWORD: ${self:custom.environment.databasePassword}
      DATABASE_NAME: ${self:custom.environment.databaseName}
    events: # Use a generic proxy to allow Express app to route.
      - http: ANY /api
      - http: 'ANY /api/{proxy+}'
  generateCourseStart:
    handler: src/server/step-functions/generate-course/start.handler
    events:
      - http: ANY /generate/course/start
  generateCourseSistem:
    handler: src/server/step-functions/generate-course/sistem.handler
    events:
      - http: ANY /generate/course/sistem

stepFunctions:
  stateMachines:
    generateCourse:
      name: generateCourse
      definition:
        Comment: "Generate Course Step Functions Workflow"
        StartAt: GenerateCourseStart
        States:
          GenerateCourseStart:
            Type: Task
            Resource: ${self:custom.environment.generateCourseStartArn}
            Next: GenerateCourseSistem
          GenerateCourseSistem:
            Type: Task
            Resource: ${self:custom.environment.generateCourseSistemArn}
            End: true

resources:
  Outputs:
    GenerateCourse:
      Description: The ARN of the example state machine
      Value:
        Ref: GenerateCourse

[josoroma-zz]

I also added (with no luck):

        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "states:DescribeStateMachine",
                "states:StartExecution",
                "states:DeleteStateMachine",
                "states:ListExecutions",
                "states:UpdateStateMachine"
            ],
            "Resource": "arn:aws:states:*:3333333333:stateMachine:generateCourse"
        }
    ]

to the following policies:

arn:aws:iam::3333333333:policy/tf-ourservice-development-developer

arn:aws:iam::3333333333:policy/tf-scbbackendtf-development-lambda-execution