Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
"Maximum policy size of 10240 bytes exceeded" when stage = ""
See original GitHub issueAre you certain it’s a bug?
- Yes, it looks like a bug
Is the issue caused by a plugin?
- It is not a plugin issue
Are you using the latest version?
- Yes, I’m using the latest version
Is there an existing issue for this?
- I have searched existing issues, it hasn’t been reported yet
Issue description
This seems related to pull request #6212.
I’m working on a project where each environment has it’s own AWS account. The stage property is therefore not relevant, as there is a single package artifact deployed to all environments.
When a stage is defined, the IAM resources get correctly combined with a wildcard as per #6212. E.g:
//stage: "dev"
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/stage-bug-dev*:*"
}
]
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/stage-bug-dev*:*:*"
}
]
}
…but if the stage is set explicitly to empty-string, separate IAM resource statements are generated for each lambda function, which exceeds the IAM policy size limit when there are many functions:
//stage: ""
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/stage-bug--handler1:*"
},
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/stage-bug--handler2:*"
}
]
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/stage-bug--handler1:*:*"
},
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/stage-bug--handler2:*:*"
}
]
}
The workaround is simple - just declare a fixed stage value that is not environment specific (e.g. "default"), but I want to record this behaviour in case other people get stuck on it for a long time like I did!
Service configuration (serverless.yml) content
service: stage-bug
variablesResolutionMode: 20210326
frameworkVersion: '2'
provider:
name: aws
runtime: nodejs14.x
lambdaHashingVersion: 20201221
region: eu-west-2
memorySize: 512
stage: ""
functions:
handler1:
handler: example.handler
events:
- httpApi:
path: /handler1
method: get
handler2:
handler: example.handler
events:
- httpApi:
path: /handler2
method: get
Command name and used flags
serverless package
Command output
N/A
Environment information
Framework Core: 2.68.0
Plugin: 5.5.1
SDK: 4.3.0
Components: 3.18.1
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @pgrzesik, sorry for the late reply! Thanks for pinging out. 😃 Just as feedback… I have been working with deployment with a manually modified version of the IAM permissions for a while now, and everything seems to be working. Let me know when you have any findings of it. I believe it would bring a huge optimization for Serverless framework for a very small change (if no cons are found)
Hello @MikeRippon, thanks for your patience - at the moment Framework does not support empty stage and such notation will be restricted in
v3. We might consider support for empty stage in the future but it will require deeper investigation on our side as a lot of current logic depends onstagebeing defined.I’m going to close this ticket for now and we might revisit it in the future.