aws-codepipeline: cross region support creates huge inline policy document for the pipeline role
See original GitHub issueWe have a code pipeline setup with cross region support. The pipeline creates replication buckets in cross regions and pipeline internally adds permissions for these s3 buckets in the pipeline role here.
Something like this for each cross region:
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
],
"Resource": [
"arn:aws:s3:::<replicationbucket>",
"arn:aws:s3:::<replicationbucket>/*"
],
"Effect": "Allow"
},
Since an addAction
is called for each region, we add a new policy statement every time with the same permissions, which is causing the pipeline role inline policy to exceed the iam policy size limit causing below error.
Maximum policy size of 10240 bytes exceeded for role <pipelinerole>
Similar issue is seen for the sts:AssumeRole
permissions added here.
Reproduction Steps
Create a codepipeline with multiple stages and ~ 15 regions.
What did you expect to happen?
The role that pipeline created should be reduced / compacted. Since there are many duplicate actions for each resource, we can have a single policy statement with all resources.
We were adding new stages and regions in our pipeline when we observed this.
What actually happened?
Got this error when deploying the stack.
Maximum policy size of 10240 bytes exceeded for role <pipelinerole>
Environment
- CDK CLI Version : 1.23, I think the latest version has this bug too.
- Framework Version: 1.23
- Node.js Version: 12.x
- OS : MacOS
- Language (Version): TypeScript (3.8.3)
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 2 years ago
- Reactions:11
- Comments:22 (9 by maintainers)
Top GitHub Comments
This is a real blocker!
The whole idea of infra-as-code is that it can be scaled and generated.
But this becomes an impediment and an antithesis to infra-as-code.
We were testing on a small set of stages to make sure it all worked. When we added other stages, everything crumbled and the pipeline is now broken.
Could the CodePipeline construct run an aspect on itself to do the optimization on its end? It seems there’s reluctance to make sweeping IAM optimization changes based on comments in #14713, but this is a real show-stopper for production usage of CDK.