Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ECS Secrets from SSM ParamStore exceeds IAM Policy size

See original GitHub issue

I’m unable to deploy my stack that makes use of ECS Secrets. I’m trying to use 58 ECS Secrets (current hard limit is 60) but how CDK is currently writing the IAM Policy for the Execution Role I’m hitting a limit with the IAM Policy.

The limit is being hit because CDK is adding a statement to the policy per parameter which creates a lot of duplication within the statement.

            Resource:
              Fn::Join:
                - ""
                - - "arn:"
                  - Ref: AWS::Partition
                  - :ssm:us-east-2:065449092177:parameter/application/parameter1
          - Action:
              - ssm:DescribeParameters
              - ssm:GetParameters
              - ssm:GetParameter
              - ssm:GetParameterHistory
            Effect: Allow

Reproduction Steps

Sorry, I don’t have a stack that I can share.

  1. Create ECS Application w/60 secrets
  2. cdk deploy

Error Log

Maximum policy size of 10240 bytes exceeded for role

Environment

  • CLI Version : 1.44.0
  • Framework Version: 1.44.0
  • Node.js Version: v12.16.1
  • OS : macOS 10.15.5
  • Language (Version): TypeScript (3.7.2)

Other

My ideal solution would be an additional parameter for ecs.Secret.fromSsmParameter that gives the option to skip the grant. My stack already appends a Managed Policy to the Execution Role that has all of the access necessary for my application to pull the parameters.

A more immediate option would be to group all of the SSM parameter grants into a single statement to dramatically reduce the duplication of the Action statements 60 times

This is 🐛 Bug Report

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:9
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
LeandroSoarescommented, Oct 1, 2020

Guys i had the same problem, when using an existing role, until i found the option mutable:

Role.fromRoleArn(this, 'ECSTaskExecutionRole', 'MyExecutionRoleArn', { mutable: false }),
1reaction
metlaivancommented, Oct 28, 2021

@Plasma thx a lot for your example. It is working for Java too. Example on the Java:

public class NoOpGrantReadSecret extends Secret {

  private final Secret secretImplementation;

  public NoOpGrantReadSecret(Secret secretImplementation) {
    this.secretImplementation = secretImplementation;
  }

  @Override
  public @NotNull Grant grantRead(@NotNull IGrantable grantee) {
    return Grant.drop(grantee, "ignored");
  }

  @Override
  public @NotNull String getArn() {
    return secretImplementation.getArn();
  }

  @Override
  public @Nullable Boolean getHasField() {
    return secretImplementation.getHasField();
  }
}

Call:

  final Map<String, Secret> secretVariables = new HashMap<>();
  var secret = Secret.fromSsmParameter(StringParameter.fromSecureStringParameterAttributes(
      this,
      "service-parameter-name",
      SecureStringParameterAttributes.builder()
          .parameterName(serviceSecrets.get("/path/to/ssm"))
          .version(1)
          .build()
  ));
    secretVariables.put("ENV_VAR_NAME",new NoOpGrantReadSecret(secret));

  var ssmReadOnlyPolicy = PolicyStatement.Builder.create()
      .actions(Arrays.asList("ssm:Describe*", "ssm:Get*", "ssm:List*"))
      .resources(Collections.singletonList("*"))
      .build();

  final TaskDefinition taskDefinition = TaskDefinition.Builder.create().build();
    taskDefinition.addToExecutionRolePolicy(ssmReadOnlyPolicy);

  ContainerDefinitionOptions containerDefinitionOptions = ContainerDefinitionOptions.builder()
      .secrets(secretVariables)
      .build();
Read more comments on GitHub >

github_iconTop Results From Across the Web

Using Systems Manager Parameter Store to secure sensitive ...
Considerations for specifying sensitive data using Systems Manager Parameter Store · Required IAM permissions for Amazon ECS secrets · Injecting sensitive data as ......
Read more >
phzietsman/policy-packer/aws - Terraform Registry
The size of each managed policy cannot exceed 6,144 characters. Note IAM does not count white space when calculating the size of a...
Read more >
How can I increase the default managed policies or ... - YouTube
How can I increase the default managed policies or character size limit for an IAM role or user?
Read more >
Ensure ECS task definition variables do not expose secrets
ECS enables storing sensitive data in either AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters. For additional guidance, see https ......
Read more >
Best practice rules for Amazon Web Services - Trend Micro
Here is our growing list of AWS security, configuration and compliance rules with clear instructions on how to perform the updates – made...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Lambda layer is being applied before code updates.

Next page

Cognito: Identity providers and OAuth flows are enabled by default