IAM: Maximum policy size of 10240 bytes exceeded for role.. #18457
Labels
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
p1
Comments
automartin5000
added
bug
github-actions
bot
added
the
@aws-cdk/aws-iam
This was referenced Jan 16, 2022
peterwoodworth
added
p2
and removed
needs-triage
rix0rrr
added
effort/medium
|
@automartin5000 I've run into this same issue (also with secrets). Have you figured out a scalable solution to this? |
Nothing scalable. Just realized I was adding the secrets to the task role (which already had a bunch of policies) when they're only needed on the execution role. That made both role policies small enough for now. If I hit the limit again, I'll probably strip all the secrets out of the task definition, grant the task permissions to get secrets on |
|
Good to know, thanks. I will probably opt for a similar approach if required. |
rix0rrr
added a commit
that referenced
this issue
Feb 23, 2022
The policies we generate sometimes have a lot of duplication between statements. This duplication can lead to the policy going over the size limit an IAM policy (either 2k, 6k or 10k bytes, depending on the resource type). This change combines multiple statements together, as long as it doesn't change the meaning of the final policy. Because doing so for all existing stacks will probably provoke minor heart attacks in operators everywhere, the new behavior is gated behind a feature flag. It can be retroactively switched on by people currently being bit by the size issues: ``` @aws-cdk/aws-iam:minimizePolicies ``` Fixes #18774, fixes #16350, fixes #18457.
mergify bot
pushed a commit
that referenced
this issue
Mar 18, 2022
The policies we generate sometimes have a lot of duplication between statements. This duplication can lead to the policy going over the size limit an IAM policy (either 2k, 6k or 10k bytes, depending on the resource type). This change combines multiple statements together, as long as it doesn't change the meaning of the final policy. Because doing so for all existing stacks will probably provoke minor heart attacks in operators everywhere, the new behavior is gated behind a feature flag. It can be retroactively switched on by people currently being bit by the size issues: ``` @aws-cdk/aws-iam:minimizePolicies ``` We will merge 2 statements if their effects are the same, and they are otherwise exactly the same apart from their `Action`, `Resource` or `Principal` declarations. We will not merge `NotXxx` statements, because doing so will change the meaning of the statement (`not A or not B ≠ not (A or B)`). There may be multiple possible merges that apply and we are not guaranteed to find the smallest merging, nor do we take effort to find all possible merges and do simplifications like `*`-subsumption. This is a starting point that should help out in the common case. Fixes #18774, fixes #16350, fixes #18457, fixes #18564, fixes #19276. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
iliapolo
pushed a commit
that referenced
this issue
Mar 20, 2022
The policies we generate sometimes have a lot of duplication between statements. This duplication can lead to the policy going over the size limit an IAM policy (either 2k, 6k or 10k bytes, depending on the resource type). This change combines multiple statements together, as long as it doesn't change the meaning of the final policy. Because doing so for all existing stacks will probably provoke minor heart attacks in operators everywhere, the new behavior is gated behind a feature flag. It can be retroactively switched on by people currently being bit by the size issues: ``` @aws-cdk/aws-iam:minimizePolicies ``` We will merge 2 statements if their effects are the same, and they are otherwise exactly the same apart from their `Action`, `Resource` or `Principal` declarations. We will not merge `NotXxx` statements, because doing so will change the meaning of the statement (`not A or not B ≠ not (A or B)`). There may be multiple possible merges that apply and we are not guaranteed to find the smallest merging, nor do we take effort to find all possible merges and do simplifications like `*`-subsumption. This is a starting point that should help out in the common case. Fixes #18774, fixes #16350, fixes #18457, fixes #18564, fixes #19276. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is the problem?
Our app has a lot of resources (mostly a lot of secrets). This is causing the auto-generated inline policy max combined size to be exceeded. Even though this bug is technically covered by this feature request since using Managed Policies is probably the primary fix, I thought I should formally file this issue.
Reproduction Steps
Grant a lot of permissions to a resource that exceeds a total of 10240 bytes.
What did you expect to happen?
Policy consolidation, see this feature request, or the use of managed policies enables more than 10240 of policies.
What actually happened?
CloudFormation error:
Maximum policy size of 10240 bytes exceeded for role...CDK CLI Version
2.7.0 (build cfb09d5)
Framework Version
No response
Node.js Version
16.13.1
OS
Mac OS 12.1
Language
Python
Language Version
No response
Possible solutions:
#7448
#18458
The text was updated successfully, but these errors were encountered: