aws-cdk_pipelines: Maximum policy size of 10240 bytes exceeded for role #18531

akashv-builder · 2022-01-19T16:13:15Z

What is the problem?

Experiencing an error with CDK Pipelines and a limit with respect to the Managed IAM Role associated with the Pipeline. Every-time a assets in the pipeline, the pipeline automatically adds assume role permissions to a cdk managed role during the "Self Mutate" state. When we add 60+ assets/lambda functions to a CDK pipeline, the IAM role becomes too large and as a result, the pipeline fails to update during the "Self Mutate" state.

The role policy looks like below:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
],
"Resource": [
"arn:aws:s3:::amwaycognitopipelinestac-amwaycognitopipelinearti-1doqf25ffndr3",
"arn:aws:s3:::amwaycognitopipelinestac-amwaycognitopipelinearti-1doqf25ffndr3/*"
],
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineBuil-1W1NZE3SQ7YCQ",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineUpda-12S5M6LW8VK0T",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1CLJZDVCQIO32",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-UQYP66LZH3QI",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-B3YWVLPNBXO2",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-36QVR9COMR4F",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1CXAYLMTPNCLD",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1V5WJ7SQ1W51S",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1WOZ0CW28JZXE",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1PNCT6GG2ES9S",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1AKF3RGV9LQ08",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-YRUWDL9KCHPS",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-O0I1HDIBF1KX",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-GLDQD7CR5FY1",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-142G6PO8GAT57",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-UPJHFB3SQ6JP",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1FEB9O6KD825F",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-TV4034AQV9HV",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-EYWZ15IVPARW",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1RA0A5QFCDL4W",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1QY0MAYJO7UZO",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-6UHG1YX91CJ0",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1MPLGMPEISYY5",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-WWSFHIHJ8HH6",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-C32JRQW9NPS1",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-PYVLKHU1YCPM",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1KXUX1RQHK1OA",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-RUOXO2WCSENR",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1L4JDWGCDRPV6",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-18QYALASWK23P",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-G40KWBQF90GH",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1BO8SC8JX9NYE",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-D1ARE616AGIV",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-GNT7JUL23YWB",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-73JLNQKI9V0V",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-FW0F1WSBE6SZ",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-G3ZV5JOVM1O7",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1XY5GU71FV775",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-G41NUSYH4M0K",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-6VBXZZAFQ5A9",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-1RPONWD7KKDU0",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-A095JYVRWQW7",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-Z43N5B72LMTP",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::935677405004:role/AmwayCognitoPipelineStack-AmwayCognitoPipelineAsse-3S8MO6SYNSKD",
"Effect": "Allow"
},
........ and so on

Reproduction Steps

Have more than 60 assets in the cdk pipeline.

What did you expect to happen?

The pipeline should get executed successfully.

What actually happened?

AmwayCognitoPipelineStackdevcdk | 13/29 | 3:20:18 PM | UPDATE_IN_PROGRESS | AWS::IAM::Policy | AmwayCognitoPipeline/Pipeline/Role/DefaultPolicy (AmwayCognitoPipelineRoleDefaultPolicyB4A64DD9)

184 | AmwayCognitoPipelineStackdevcdk | 13/29 | 3:20:20 PM | UPDATE_FAILED | AWS::IAM::Policy | AmwayCognitoPipeline/Pipeline/Role/DefaultPolicy (AmwayCognitoPipelineRoleDefaultPolicyB4A64DD9) Maximum policy size of 10240 bytes exceeded for role AmwayCognitoPipelineStack-AmwayCognitoPipelineRole-RIBKSANTPBC8 (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: b9581531-700c-4e50-a178-06ec2a05676b; Proxy: null)
185 | new Policy (/codebuild/output/src070/src/s3/00/node_modules/@aws-cdk/aws-iam/lib/policy.ts:89:22)
186 | _ Role.addToPrincipalPolicy (/codebuild/output/src070/src/s3/00/node_modules/@aws-cdk/aws-iam/lib/role.ts:236:28)
187 | _ Function.addToPrincipal (/codebuild/output/src070/src/s3/00/node_modules/@aws-cdk/aws-iam/lib/grant.ts:92:61)
188 | _ Function.addToPrincipalOrResource (/codebuild/output/src070/src/s3/00/node_modules/@aws-cdk/aws-iam/lib/grant.ts:48:26)
189 | _ Bucket.grant (/codebuild/output/src070/src/s3/00/node_modules/@aws-cdk/aws-s3/lib/bucket.ts:384:27)
190 | _ Bucket.grantReadWrite (/codebuild/output/src070/src/s3/00/node_modules/@aws-cdk/aws-s3/lib/bucket.ts:314:17)
191 | _ new Pipeline (/codebuild/output/src070/src/s3/00/node_modules/@aws-cdk/aws-codepipeline/lib/pipeline.ts:283:25)
192 | _ CodePipeline.doBuildPipeline (/codebuild/output/src070/src/s3/00/node_modules/@aws-cdk/pipelines/lib/codepipeline/codepipeline.ts:162:24)
193 | _ CodePipeline.buildPipeline (/codebuild/output/src070/src/s3/00/node_modules/@aws-cdk/pipelines/lib/main/pipeline-base.ts:70:10)

CDK CLI Version

2.8.0

Framework Version

No response

Node.js Version

14.18.1

OS

Linux

Language

Typescript

Language Version

No response

Other information

No response

peterwoodworth · 2022-01-19T23:06:33Z

Thanks for reporting this @akashv-builder,

We're aware of this issue, and haven't had the time to put in the fix for it since messing with policies is really tricky. We're tracking the issue in a few places, as there are a couple different ways we can help to prevent this error. Here's where we're tracking it: #16244 #14713 and a PR #16350

Please give thumbs up on these issues, that is the best way to help us prioritize them 🙂

Ping me if you have any other concerns

github-actions · 2022-01-19T23:06:57Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

akashv-builder added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 19, 2022

github-actions bot added the @aws-cdk/pipelines CDK Pipelines library label Jan 19, 2022

github-actions bot assigned rix0rrr Jan 19, 2022

peterwoodworth added duplicate This issue is a duplicate. and removed needs-triage This issue or PR still needs to be triaged. labels Jan 19, 2022

peterwoodworth closed this as completed Jan 19, 2022

NGL321 mentioned this issue Mar 8, 2022

Tracking: Policy-generation creates oversized templates #19276

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws-cdk_pipelines: Maximum policy size of 10240 bytes exceeded for role #18531

aws-cdk_pipelines: Maximum policy size of 10240 bytes exceeded for role #18531

akashv-builder commented Jan 19, 2022

peterwoodworth commented Jan 19, 2022

github-actions bot commented Jan 19, 2022