Tracking: Policy-generation creates oversized templates #19276
Description
Overview
A number of customers in separate issues (as well as internal tickets) have reported problems with automatic policy generation executed by the CDK for various services. The most recurrent and problematic of those are the oversized policies generated that exceed maximum size.
This issue is to aggregate and track those separate issues and resolve once system has been revamped/revised.
Link to the service’s CDK Construct Library API reference page.
https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam-readme.html
Maturity: CloudFormation Resources Only
Stable
Implementation
PRs
- fix(iam): IAM Policies are too large to deploy by rix0rrr · Pull Request #19114 · aws/aws-cdk · GitHub
- fix(codepipeline): large cross-region pipelines exceed IAM policy size limit by skinny85 · Pull Request #16350 · aws/aws-cdk · GitHub
- feat(iam): session tagging by rix0rrr · Pull Request #17689 · aws/aws-cdk · GitHub
Issue list
Reports
- (aws-iam): changes in #17689 increase assume role policy size · Issue #18564 · aws/aws-cdk · GitHub
- ECS: Task role default policies race condition · Issue #18675 · aws/aws-cdk · GitHub
- IAM: Maximum policy size of 10240 bytes exceeded for role.. · Issue #18457 · aws/aws-cdk · GitHub
- aws-codepipeline: cross region support creates huge inline policy document for the pipeline role · Issue #16244 · aws/aws-cdk · GitHub
- (iam) Role policies are frequently exceeding 10kB · Issue #14261 · aws/aws-cdk · GitHub
- ECS Secrets from SSM ParamStore exceeds IAM Policy size · Issue #8435 · aws/aws-cdk · GitHub
- How to avoid zillions of conditional policy statements? · Issue #7732 · aws/aws-cdk · GitHub
- aws-cdk_pipelines: Maximum policy size of 10240 bytes exceeded for role · Issue #18531 · aws/aws-cdk · GitHub
- CodePipeline: Maximum policy size of 10240 bytes exceeded for role xxx · Issue #19243 · aws/aws-cdk · GitHub
- (aws_ecs): CDK insists on Modifying the ECS Execution/Task Role with duplicate permissions, resulting policy Is too big to deploy · Issue #18926 · aws/aws-cdk · GitHub
- (IAM Role) : Maximum policy size of 10240 bytes exceeded for role · Issue #12403 · aws/aws-cdk · GitHub
- [cdk-pipelines] Pipeline template grows very fast reaching the 460,800 bytes limit from CloudFormation · Issue #9225 · aws/aws-cdk · GitHub
- [@aws-cdk/pipelines] Maximum policy size of 10240 bytes exceeded for role · Issue #9316 · aws/aws-cdk · GitHub
- CodePipeline/CodeBuild: Maximum policy size of 10240 bytes exceeded for role xxx-role · Issue #4465 · aws/aws-cdk · GitHub
- (aws-cdk/pipelines): mutates role even if
withoutPolicyUpdates()is passed · Issue #18167 · aws/aws-cdk · GitHub - (@aws-cdk/aws-apigatewayv2-alpha): After adding around 30 routes to a http api, I got policy PolicyLengthExceededException
- APIGateway LambdaIntegration: Add option to create a single trigger/permission with wildcards only instead of one for each ApiGateway Resource
- CodePipeline: still getting 'Maximum policy size of 10240 bytes exceeded for role' for cross-account pipeline
Potential Workarounds/Suggestions
- CDK Grants into AWS Managed Policy · Issue #7448 · aws/aws-cdk · GitHub
- IAM/Secrets Manager/ECS: Consolidate IAM policies under path · Issue #18458 · aws/aws-cdk · GitHub
- (aws-s3): supply custom role when adding bucket notifications · Issue #13241 · aws/aws-cdk · GitHub
- [iam] iam.Group should check if inline policy exceeds maximum size · Issue #11562 · aws/aws-cdk · GitHub
- lambda policy size exceeds limit when used with multiple RestApi methods · Issue #5774 · aws/aws-cdk · GitHub
- (iam): how to create combined managed policy? · Issue #12111 · aws/aws-cdk · GitHub
- (aws-iam): policy document optimization · Issue #14713 · aws/aws-cdk · GitHub