preview
We're still working on this feature, but we'd love for you to try it out!
This feature is currently provided as part of a preview program pursuant to our pre-release policies.
This page provides a comprehensive reference for aws execute api available in the workflow automation actions catalog. These actions enable you to execute any aws api operation.
Prerequisites
Before using AWS actions in workflow automation, ensure you have:
- An AWS account with appropriate permissions.
- AWS credentials configured (IAM user credentials, IAM role ARN, or session credentials).
- The necessary IAM permissions for the specific AWS services you plan to use.
See Set up AWS credentials for information on how to create IAM users and IAM roles, and set up static and session AWS credentials for integration with workflow automation AWS actions.
Security and IAM configuration
To use this action, you must configure AWS credentials. See Set up AWS credentials for detailed instructions on creating an IAM role or IAM user.
Important
Security best practice: When defining IAM policies for this action, always use least-privilege access. Grant only the specific AWS API actions your workflow requires, and restrict permissions to specific resources rather than using wildcards.
Required IAM permissions
The permissions you need depend on which AWS services and APIs your workflow calls. Use the examples below as templates for creating least-privilege policies.
Example 1: Send messages to a specific SQS queue
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-west-2:<your-aws-account-id>:<your-queue-name>" } ]}Examples 2: Query a specific DynamoDB table
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:Query", "Resource": "arn:aws:dynamodb:us-west-2:<your-aws-account-id>:table/<your-table-name>" } ]}Example 3: Multiple services with specific permissions
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sqs:SendMessage", "Resource": "arn:aws:sqs:us-west-2:<your-aws-account-id>:<your-queue-name>" }, { "Effect": "Allow", "Action": "dynamodb:Query", "Resource": "arn:aws:dynamodb:us-west-2:<your-aws-account-id>:table/<your-table-name>" } ]}Important
- Replace
<your-aws-account-id>,<your-queue-name>, and<your-table-name>with your actual values - Find available AWS service APIs in the Boto3 documentation
- For more complex IAM policy patterns, see the AWS IAM documentation
For more information on how this action works, see the AWS Systems Manager executeAwsApi documentation.
Call an AWS API
Execute any AWS API operation for a specified service. It supports providing AWS credentials, region, service name, API name, and optional parameters. The action can return outputs such as success status, response data, and error messages, making it versatile for interacting with AWS services programmatically.
Input Field | Optionality | Type | Example |
|---|---|---|---|
awsRoleArn | Optional | String |
|
awsAccessKeyId | Optional | String |
|
awsSecretAccessKey | Optional | String |
|
awsSessionToken | Optional | String |
|
region | Required | String |
|
service | Required | String |
|
api | Required | String |
|
parameters | Required | Map | |
selectors | Optional | List |
|
Output Field | Type | Example |
|---|---|---|
response | Object |
|
success | Boolean |
|
errorMessage | String |
|
Important
- Input at least one of the AWS credentials (short, long, role) should be provided, where the role takes precedence over the others.
- In the action input, if
awsAccessKeyIdandawsSecretAccessKeyare to be provided, make sure they are static credentials of an IAM user. - If session credentials are to be used,
awsAccessKeyId,awsSecretAccessKeyandawsSessionTokenmust be passed to the action input. - Refer to AWS credentials for instructions.
- Use selectors to get only the specified parameters as output.
Example: Query a DynamoDB table
This example demonstrates how to query a DynamoDB table using the aws.execute.api action with session credentials.
name: aws_execute_api_dynamoDB_dks
workflowInputs: key: type: String defaultValue: "${{ :secrets:<aws_access_key_id> }}" access: type: String defaultValue: "${{ :secrets:<aws_secret_access_key? }}" token: type: String defaultValue: "${{ :secrets:<aws_session_token> }}" region: type: String defaultValue: us-east-2 tableName: type: String defaultValue: workflow-definitions-dev scopedName: type: String version: type: String defaultValue: "1"
steps: - name: executeApi type: action action: aws.execute.api version: 1 inputs: awsAccessKeyId: ${{ .workflowInputs.key }} awsSecretAccessKey: ${{ .workflowInputs.access }} awsSessionToken: ${{ .workflowInputs.token }} region: ${{ .workflowInputs.region }} service: dynamodb api: query parameters: TableName: ${{ .workflowInputs.tableName }} KeyConditionExpression: "ScopedName = :scopedNameValue AND Version = :VersionValue" ExpressionAttributeValues: ":scopedNameValue": S: ${{ .workflowInputs.scopedName }} ":VersionValue": N: ${{ .workflowInputs.version }} selectors: - name: response expression: '.response' - name: errorMessage expression: '.errorMessage' - name: success expression: '.success' - name: wait type: wait seconds: 2 - name: logOutput type: action action: newrelic.instrumentation.log version: 1 inputs: message: 'The execute API message output is:${{ .steps.executeApi.outputs.response.Item }}' licenseKey: '${{ :secrets:STAGING_NEW_RELIC_LICENSE_KEY }}' - name: logOutput1 type: action action: newrelic.instrumentation.log version: 1 inputs: message: 'does execute API have any error :${{ .steps.executeApi.outputs.errorMessage }}' licenseKey: '${{ :secrets:STAGING_NEW_RELIC_LICENSE_KEY }}' - name: logOutput2 type: action action: newrelic.instrumentation.log version: 1 inputs: message: 'is execute successful :${{ .steps.executeApi.outputs.success }}' licenseKey: '${{ :secrets:STAGING_NEW_RELIC_LICENSE_KEY }}'For more workflow examples using AWS Execute API, see the Workflow examples page.