Skip to content

CodePipeline: Maximum policy size of 10240 bytes exceeded for role xxx #19243

New issue
New issue
Closed
Closed
CodePipeline: Maximum policy size of 10240 bytes exceeded for role xxx#19243
Labels
@aws-cdk/aws-codepipelineRelated to AWS CodePipelinebugThis issue is a bug.duplicateThis issue is a duplicate.
@poppoerika

Description

@poppoerika
poppoerika
opened on Mar 4, 2022

What is the problem?

We have a CDK pipeline that creates several other CodePipelines during its execution. Most of the pipelines it creates deploy one or two CloudFormation stacks to various accounts. However, we recently attempted to add a new pipeline that deploys 5 CloudFormation stacks. Afterward we encountered the following error with the Logical ID xxxRoleDefaultPolicyxxx:

Maximum policy size of 10240 bytes exceeded for role xxx (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: xxx; Proxy: null)

It seems that more AssumeRole statements are added to the role as we add stacks to the pipeline until the stack update is cancelled due to exceeding the maximum policy size.

The following are a few examples of the PolicyDocument statements added automatically:

 {
                     "Action":"sts:AssumeRole",
                     "Effect":"Allow",
                     "Resource":{
                        "Fn::GetAtt":[
                           "xxxCodePipelineActionRolexxx",
                           "Arn"
                        ]
                     }
                  },
                  {
                     "Action":"sts:AssumeRole",
                     "Effect":"Allow",
                     "Resource":{
                        "Fn::GetAtt":[
                           "xxxPlaceholderActionNameCodePipelineActionRolexxx",
                           "Arn"
                        ]
                     }
                  },
                  {
                     "Action":"sts:AssumeRole",
                     "Effect":"Allow",
                     "Resource":{
                        "Fn::GetAtt":[
                           "xxxCodePipelineActionRolexxx",
                           "Arn"
                        ]
                     }
                  },

It seems that there are some policies created by CDK pipeline that grow in proportion to the number of resources in the child pipeline, so that after a certain point there is no way to deploy the CDK pipeline.

This has caused us not to be able to deploy all the stacks from a single stage in this wave, which resulted in extra engineer effort for the deployment.

Is there any way to prevent the policy from growing unbounded like this?

Please let us know if you need additional snippets from the generated template or anything else.

Reproduction Steps

--

What did you expect to happen?

The new CodePipeline that deploys 5 CloudFormation stacks in our CDK pipeline gets executed without any issues.

What actually happened?

Some policies created by CDK pipeline that grow in proportion to the number of resources in the child pipeline, so that after a certain point there is no way to deploy the CDK pipeline.

CDK CLI Version

2.4.0

Framework Version

No response

Node.js Version

--

OS

--

Language

Typescript

Language Version

4.4.2

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-codepipelineRelated to AWS CodePipelinebugThis issue is a bug.duplicateThis issue is a duplicate.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions