StepFunction/Lambda PolicyDocument duplicate permissions (Maximum policy size exceeded)
See original GitHub issueI have a lambda function, that is called by a number of parallel tasks in an AWS step function. Code (with irrelevant bits snipped out) looks something like this:
const checkDomainsFunc = new lambda.Function(this, 'CheckDomainsFunction', {
..snip..
});
const newCheckDomainsTask = (sliceNum: number) => {
const checkDomainsTask = new stepfunctions.Task(this, `CheckDomainsTask${sliceNum}`, {
resource: checkDomainsFunc,
inputPath: `$.slice.${sliceNum}`,
resultPath: `$.result.${sliceNum}`,
});
..snip..
return checkDomainsTask;
};
const checkDomainsParallelStep = new stepfunctions.Parallel(this, 'CheckDomainsParallelStep', {
resultPath: '$.result'
});
for(let i = 0; i < Object.keys(sliceConfig).length; i++) {
checkDomainsParallelStep.branch(newCheckDomainsTask(i));
}
const definition = stepfunctions.Chain
.start(configureSlicesStep)
.next(checkDomainsParallelStep);
new stepfunctions.StateMachine(this, 'FooStateMachine', {
definition,
timeoutSec: 60*60
});
I end up getting an error like the following:
2/4 | 21:47:03 | UPDATE_FAILED | AWS::IAM::Policy | FooStateMachine/Role/DefaultPolicy (FooStateMachineRoleDefaultPolicy3ED6D243) Maximum policy size of 10240 bytes exceeded for role FooStack-FooStateMachineRole725DD6EF-752AIIF1U5GZ (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: f5369744-31e8-11e9-88af-795178e442ff)
Looking at cdk diff
, it seems that the same permission for the statemachine to execute the lambda function is repeated for each of the parallel tasks:
[~] AWS::IAM::Policy FooStateMachine/Role/DefaultPolicy FooStateMachineRoleDefaultPolicy3ED6D243
└─ [~] PolicyDocument
└─ [~] .Statement:
└─ @@ -198,5 +198,805 @@
[ ] "Arn"
[ ] ]
[ ] }
[+] },
[+] {
[+] "Action": "lambda:InvokeFunction",
[+] "Effect": "Allow",
[+] "Resource": {
[+] "Fn::GetAtt": [
[+] "CheckDomainsFunction9CC80B3F",
[+] "Arn"
[+] ]
[+] }
[+] },
[+] {
[+] "Action": "lambda:InvokeFunction",
[+] "Effect": "Allow",
[+] "Resource": {
[+] "Fn::GetAtt": [
[+] "CheckDomainsFunction9CC80B3F",
[+] "Arn"
[+] ]
[+] }
[+] },
[+] {
[+] "Action": "lambda:InvokeFunction",
[+] "Effect": "Allow",
[+] "Resource": {
[+] "Fn::GetAtt": [
[+] "CheckDomainsFunction9CC80B3F",
[+] "Arn"
[+] ]
[+] }
[+] },
..snip..
I would have expected the policy to be treated like a set (eg. this permission would only be added once when it’s exactly the same).
While it would be nice to have this solved ‘properly’ at some point, some form of workaround in the meantime would also be awesome. I assume I’ll be able to override/replace the policy document somehow, but haven’t quite figured that out yet.
Issue Analytics
- State:
- Created 5 years ago
- Comments:11 (11 by maintainers)
Top Results From Across the Web
Resolve Lambda resource-based policy size limit errors
When I set a trigger to invoke my AWS Lambda function, I get the error "The final policy size is bigger than the...
Read more >Duplicate Api Gateway Lambda permissions cause policy size ...
An error occurred: MyDashauthorizerDashwestDash2LambdaPermissionApiGateway - The final policy size (20635) is bigger than the limit (20480).
Read more >AWS Lambda Policy Length Exceeded - adding rules to a ...
The AWS:SourceArn is the unique value of the rule, so I've figured I could use * to give permission to all rules.
Read more >How to deal with AWS API Gateway Final Policy Size Bigger ...
However, when I tried to add permission using AWS SAM yaml file and manually on console, I got “Final policy size bigger than...
Read more >IAM Policy Size Limits - 1-minute IAM - Amazon Web Services
Bart continues his weekly AWS Identity & Access Management video series. Today he is talking about character and size limits for IAM ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
But I think the problem might be that it merges the documents :x
Huh. Honestly, no.
A raw override (
addOverride('Properties.PolicyDocument', ...)
) might work better?