Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(iam) Role policies are frequently exceeding 10kB #14261

Closed
Larkenx opened this issue Apr 19, 2021 · 3 comments
Closed

(iam) Role policies are frequently exceeding 10kB #14261

Larkenx opened this issue Apr 19, 2021 · 3 comments
Assignees
@rix0rrr
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@Larkenx
Copy link

Larkenx commented Apr 19, 2021
edited
Loading

aws-cdk/packages/@aws-cdk/aws-iam/lib/role.ts

Lines 300 to 302 in e7f09cb

private readonly managedPolicies: IManagedPolicy[] = [];
private readonly attachedPolicies = new AttachedPolicies();
private readonly inlinePolicies: { [name: string]: PolicyDocument };

In order to support better flexibility when cleaning up the inline policy statements after creating large AWS CDK Stacks with several inline IAM policies, we'd like to be able to have read access on these fields so that we can de-dupe action & resource in line policies that are the same, but repeated numerous times.

We're frequently exceeding the 10kb policy limit size, and looking for ways to improve this.
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Apr 19, 2021
@rix0rrr rix0rrr changed the title @aws-cdk/aws-iam managed, inline, and attached policies should be either public or protected readonly, not private (iam) Role policies are frequently exceeding 10kB Apr 21, 2021
@rix0rrr
Copy link
Contributor

rix0rrr commented Apr 21, 2021

I don't think giving you more access to mess around in CDK internals is the right solution.

It makes sense to me for example to combine resources from otherwise identical policy statements, that's an optimization we can do.

How is this happening for you, what would you personally be doing about this?

As a temporary workaround, you can make your own subclass of Role which implements your optimizations, or pass role.withoutPolicyUpdates() to constructs and just provide the complete policy document yourself.

@rix0rrr rix0rrr added bug This issue is a bug. effort/medium Medium work item – several days of effort p1 labels Apr 21, 2021
@Larkenx
Copy link
Author

Larkenx commented Apr 22, 2021
edited
Loading

@rix0rrr I agree after tinkering with this for a few days.

We ended up combining our IAM policy statements using Aspects to reduce the size of our inline policy down to below the character quota instead of trying to patch/exclude grants on the IAM Role along the way

How is this happening for you, what would you personally be doing about this?

We have a lot of custom higher level constructs that often results involve large amounts of AWS resources, and they're usually done with passing around a single IAM Role and granting it on all the resources.

@Larkenx Larkenx closed this as completed Apr 22, 2021
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@NGL321 NGL321 mentioned this issue Mar 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rix0rrr @Larkenx