Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CodePipeline/CodeBuild: Maximum policy size of 10240 bytes exceeded for role xxx-role
See original GitHub issueWe are deploying a set of CodePipeline & CodeBuild stacks with AWS CDK and hit the following errors:
Maximum policy size of 10240 bytes exceeded for role xxx-CodeBuildRole (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: )
Maximum policy size of 10240 bytes exceeded for role xxx-CodePipelineRole (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: )
Maximum policy size of 10240 bytes exceeded for role xxx-CrossAccountDeployerRole (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID:)
As you can see, we are trying to use our custom build, pipeline and deployment roles for our setup.
We have setup the IAM roles so that they are limited to certain resources with certain prefixes in certain regions. The IAM roles are already suitable for pipeline, build and deployment usage. The problem seems to be that CDK adds more policies to the roles until the stack update is cancelled because the resource limit is exceeded.
In our use case we are forced to use hand-crafter CloudFormation templates until we can fully move to CDK. This is currently a blocker for us.
Reproduction Steps
Creating multiple pipelines with following code:
const pipeline = new codepipeline.Pipeline(stack, `Pipeline`, {
pipelineName: name,
role: codePipelineRole(stack), // Import role
artifactBucket: bucket,
});
const source = new codepipeline.Artifact('Source');
pipeline.addStage({
stageName: 'Source',
actions: [
new codepipeline_actions.CodeCommitSourceAction({
actionName: 'Source',
repository,
output: source,
role: codeCommitRole(stack), // Import role
}),
]
});
const buildOutput = new codepipeline.Artifact();
pipeline.addStage({
stageName: 'Build',
actions: [
new codepipeline_actions.CodeBuildAction({
actionName: 'Build',
input: source,
project,
outputs: [buildOutput],
role: pipeline.role,
}),
]
});
pipeline.addStage({
stageName: 'UpdateDev',
actions: [
// See https://github.com/aws/aws-cdk/issues/4375
new MyEcsDeployAction({
actionName: 'DeployImage',
clusterName: clusterNameDev,
serviceName: name,
input: buildOutput,
role: crossAccountDeployerRole(stack), // Import role
}),
]
});
Proposed solution
Two possibilities come to my mind:
-
Provide a way to use the role as-is, without adding any new policies and assume it has been already set up properly.
-
Another way could possibly be to create new policies rather than inline policies that fill up the limited space very quickly.
Environment
- **CLI Version : 1.12.0
- **Framework Version: 1.12.0
- **OS : MacOS
- **Language : TypeScript
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 4 years ago
- Comments:11 (11 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Yeah, I know 😕 This is kind of a miss on our part, but I have an idea for a fix. Stay tuned.
Thanks for looking into this!
The immutable role works now in a similar way than the imported immutable role which results in an error for each pipeline: