Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

StepFunction/Lambda PolicyDocument duplicate permissions (Maximum policy size exceeded)

See original GitHub issue

I have a lambda function, that is called by a number of parallel tasks in an AWS step function. Code (with irrelevant bits snipped out) looks something like this:

const checkDomainsFunc = new lambda.Function(this, 'CheckDomainsFunction', {
..snip..
});

const newCheckDomainsTask = (sliceNum: number) => {
      const checkDomainsTask = new stepfunctions.Task(this, `CheckDomainsTask${sliceNum}`, {
        resource: checkDomainsFunc,
        inputPath: `$.slice.${sliceNum}`,
        resultPath: `$.result.${sliceNum}`,
      });
..snip..
      return checkDomainsTask;
    };

const checkDomainsParallelStep = new stepfunctions.Parallel(this, 'CheckDomainsParallelStep', {
      resultPath: '$.result'
    });

    for(let i = 0; i < Object.keys(sliceConfig).length; i++) {
      checkDomainsParallelStep.branch(newCheckDomainsTask(i));
    }

const definition = stepfunctions.Chain
        .start(configureSlicesStep)
        .next(checkDomainsParallelStep);

new stepfunctions.StateMachine(this, 'FooStateMachine', {
        definition,
        timeoutSec: 60*60
});

I end up getting an error like the following:

 2/4 | 21:47:03 | UPDATE_FAILED        | AWS::IAM::Policy                 | FooStateMachine/Role/DefaultPolicy (FooStateMachineRoleDefaultPolicy3ED6D243) Maximum policy size of 10240 bytes exceeded for role FooStack-FooStateMachineRole725DD6EF-752AIIF1U5GZ (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: f5369744-31e8-11e9-88af-795178e442ff)

Looking at cdk diff, it seems that the same permission for the statemachine to execute the lambda function is repeated for each of the parallel tasks:

[~] AWS::IAM::Policy FooStateMachine/Role/DefaultPolicy FooStateMachineRoleDefaultPolicy3ED6D243
 └─ [~] PolicyDocument
     └─ [~] .Statement:
         └─ @@ -198,5 +198,805 @@
            [ ]         "Arn"
            [ ]       ]
            [ ]     }
            [+]   },
            [+]   {
            [+]     "Action": "lambda:InvokeFunction",
            [+]     "Effect": "Allow",
            [+]     "Resource": {
            [+]       "Fn::GetAtt": [
            [+]         "CheckDomainsFunction9CC80B3F",
            [+]         "Arn"
            [+]       ]
            [+]     }
            [+]   },
            [+]   {
            [+]     "Action": "lambda:InvokeFunction",
            [+]     "Effect": "Allow",
            [+]     "Resource": {
            [+]       "Fn::GetAtt": [
            [+]         "CheckDomainsFunction9CC80B3F",
            [+]         "Arn"
            [+]       ]
            [+]     }
            [+]   },
            [+]   {
            [+]     "Action": "lambda:InvokeFunction",
            [+]     "Effect": "Allow",
            [+]     "Resource": {
            [+]       "Fn::GetAtt": [
            [+]         "CheckDomainsFunction9CC80B3F",
            [+]         "Arn"
            [+]       ]
            [+]     }
            [+]   },
..snip..

I would have expected the policy to be treated like a set (eg. this permission would only be added once when it’s exactly the same).

While it would be nice to have this solved ‘properly’ at some point, some form of workaround in the meantime would also be awesome. I assume I’ll be able to override/replace the policy document somehow, but haven’t quite figured that out yet.