Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

lambda policy size exceeds limit when used with multiple RestApi methods

See original GitHub issue

short description:

Override Lambda Permission manually when creating a new API Gateway method.

Use Case

Recently I faced this issue when pointing multiple API Gateways methods to specific lambda :

The final policy size (XXX) is bigger than the limit (20480)

The feature allows users to bypass automatic permission creation (sort of “manual mode”) to avoid this limitation.

I noticed that when using LambdaIntegration class the bind function adds permissions automatically to the lambda function based on the method URL.

My workaround was overriding the bind function with my own class ( see this post - https://stackoverflow.com/questions/59713522/cdk-override-bind-when-using-lambdaintegration?noredirect=1#comment105588249_59713522) and implement my own logic.

This feature can give more flexibility to the end-user and could give more control about the lambda permissions.

This is a 🚀 Feature Request

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:3
  • Comments:8 (2 by maintainers)

github_iconTop GitHub Comments

5reactions
rehanvdmcommented, Apr 6, 2020

@nija-at “it wouldn’t be the right customer experience for a CDK user.” Why do you think this? Also it is the resource based policy which has limit of 2,048.

The problem is that LambdaIntegration calls the lambda function addPermission everytime for a new Method. The policy gets filled up quite quickly and then the stack fails stating that the policy size is too big. The solution is to create a variation of the LambdaIntegration class that does the binding but does not add a individual method policy for each API method but rather just give the whole API (any resource + method) access to the Lambda.

import lambda = require('@aws-cdk/aws-lambda');
import apigateway = require('@aws-cdk/aws-apigateway');

class LambdaIntegrationNoPermission extends apigateway.LambdaIntegration
{
    constructor(handler: lambda.IFunction, options?: apigateway.LambdaIntegrationOptions) {
        super(handler, options);
    }

    bind(method: apigateway.Method)
    {
        this['scope'] = method;
    }
}

const api = new apigateway.RestApi(this, id+"-api", {
            restApiName: id,
            deployOptions: { stageName: buildPros.Environment },
            defaultCorsPreflightOptions: {
                allowOrigins: apigateway.Cors.ALL_ORIGINS,
                allowMethods: apigateway.Cors.ALL_METHODS,
                allowHeaders: ["*"]
            },
            defaultIntegration: new LambdaIntegrationNoPermission(apiLambda, {proxy: true}),
        });

.... Add many methods and resources here ....

/* Manually add the permission, specifying with the API function arnForExecuteApi empty params means for all methods, paths and stages    */
apiLambda.addPermission(id + "ApiGWPermissions", {
           action: 'lambda:InvokeFunction',
           principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
           sourceArn: api.arnForExecuteApi()
       });
0reactions
rehanvdmcommented, Jun 10, 2021

@nija-at “it wouldn’t be the right customer experience for a CDK user.” Why do you think this? Also it is the resource based policy which has limit of 2,048.

The problem is that LambdaIntegration calls the lambda function addPermission everytime for a new Method. The policy gets filled up quite quickly and then the stack fails stating that the policy size is too big. The solution is to create a variation of the LambdaIntegration class that does the binding but does not add a individual method policy for each API method but rather just give the whole API (any resource + method) access to the Lambda.

import lambda = require('@aws-cdk/aws-lambda');
import apigateway = require('@aws-cdk/aws-apigateway');

class LambdaIntegrationNoPermission extends apigateway.LambdaIntegration
{
    constructor(handler: lambda.IFunction, options?: apigateway.LambdaIntegrationOptions) {
        super(handler, options);
    }

    bind(method: apigateway.Method)
    {
        this['scope'] = method;
    }
}

const api = new apigateway.RestApi(this, id+"-api", {
            restApiName: id,
            deployOptions: { stageName: buildPros.Environment },
            defaultCorsPreflightOptions: {
                allowOrigins: apigateway.Cors.ALL_ORIGINS,
                allowMethods: apigateway.Cors.ALL_METHODS,
                allowHeaders: ["*"]
            },
            defaultIntegration: new LambdaIntegrationNoPermission(apiLambda, {proxy: true}),
        });

.... Add many methods and resources here ....

/* Manually add the permission, specifying with the API function arnForExecuteApi empty params means for all methods, paths and stages    */
apiLambda.addPermission(id + "ApiGWPermissions", {
           action: 'lambda:InvokeFunction',
           principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
           sourceArn: api.arnForExecuteApi()
       });

Does not work anymore since the Method signature changed, refer to the newly opened ticket addressing this and the new solution here: https://github.com/aws/aws-cdk/issues/9327#issuecomment-858372987

Read more comments on GitHub >

github_iconTop Results From Across the Web

Resolve Lambda resource-based policy size limit errors
If your Lambda function's resource-based policy is over 20 KB, then Lambda returns a The final policy size is bigger than the limit...
Read more >
aws-cdk LambdaRestApi: The final policy size is bigger than ...
I ended having the same problem for Lambda with a ton of Event Rules that causes my lambda policy size to exceed 20k,...
Read more >
Body Size is Too Large Error, but Body Size is Under Limit
I am using a lambda function behind an AWS Gateway to service a REST API. In one endpoint I am getting "body size...
Read more >
Deep Dive: Lambda's Request Payload Size Limit (2/2)
The Lambda quotas page lists both the request and response payload limits as same 6 MB for synchronous invocations. In the previous post...
Read more >
Aws api gateway payload limit - Seba Online
Apr 12, 2021 · AWS Lambda Payload Size Limit. Looking at lots of Step 1 - Design a REST API. If you use...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

A Principal that represents an MFA-authenticated user

Next page

Use of KMS keys across nested stacks create circular dependencies