API IAM Authorization Role Error: Maximum policy size of 10240 bytes exceeded for role #2084
Comments
attilah
added
pending-response
|
@darnmark64 That's a limitation of IAM and the cognito service allowing just one auth rule. You can open up a feature request (for increasing of IAM role policy size) for Cognito and IAM in this forum - https://forums.aws.amazon.com/forum.jspa?forumID=76 From the Amplify side, what we can do is create managed policies instead of having inline policies. Marking this as an enhancement. |
|
We are facing the same issue and now we are aggregating some APIs and deleting others to decrease the policy size. This feature is very urgent guys as Amplify is taking some relevant space on web/mobile backend development. Please take a look on this! Thanks in advance by the way! =) |
|
Also seeing this now with ~6 REST API's, one GraphQL API and more or less 13 functions for the project. This started happening after we added the IAM policy to most models in order to be able to do GraphQL queries directly from Lambda. What do we do now? Amplify/Cognito/DynamoDB/CloudFormation is limitation after limitation after limitation. |
|
Any update on this or a sensible workaround? |
|
The fact that the AWS team is ignoring issues like this for weeks without providing workarounds or a timeline on a fix is worrying, to say the least. |
|
@houmark this has just started happening to me. Absolutely no way around it and utterly useless error message. |
|
I'm running into the same issue. How should this be handled? The application I'm creating isn't that large and this limitation is preventing further development. |
|
@kaustavghosh06 any further recommendation on this issue? |
|
Same to me, we are creating an important application, small in terms of lambdas, etc. and I'm getting the same error when trying to deploy a new lambda. What we can do??? |
Use managed policies instead of inline policies for GraphQL API policy generation for auth and unauth roles. Also take into account the policy size and create multiple policies of needed. This means that 6144 bytes long can be 1 policy and 10 Managed Policies can be attached to a single role and that 10 can be raised to 20 by AWS Support, which raises the maximum policy size to ~120kb, which is 10 times the currently supported size. This PR does not solve the policy size issue for API Gateway (#2084), but since sizes are adding up, perhaps customers can be unblocked by this change.
|
Hello everyone. We've released a fix for this issue with the latest version of the CLI. Would be great if you'll could test it out and let us know if you're still having troubles with the IAM Policy size. |
|
@kaustavghosh06 /@ttilah I've just encountered this - updated the CLI but not seeing any change. Is there some commands that needs to be run to move these policies? |
|
Hi I just meet the same limitation. |
|
Hi guys. Check out my blog post which explains this issue and how to work around it by modifying your amplify cloud formation templates. https://ziggy6792.github.io/posts/amplify-lambda-dynamodb/#potential-maximum-policy-size-issue-when-running-amplify-push |
|
Same problem here. I have User Groups and for each resource, Amplify CLI is adding a new inline policy to the auth role, so I hit the limit. I even tried switching to Cognito Authorizer and bypass all this User Group authorization but that'll be a long road now that I have lots of resources. @ziggy6792 I have checked your post, it helps but just in short run and only if we have lots of tables. Thanks for posting it though. |
I have used User Groups and I can still see inline policies for each group role, I'm not sure if your changes are there. Could you please confirm if it's properly merged and working? |
|
I have run into this same problem amplify -v 4.21.1 - ca-central - I have small test application with only half a dozen functions, 3 tables and 2 groups in a REST config ( no GraphQL/AppSync - Canada ) - I'm surprised I bumped into this. My solution for now is to not use groups - but that's a terrible long term strategy. Hoping something else can be brought to light ? Is this region specific by chance? |
|
@kaustavghosh06 /@ttilah - I've upgraded to 4.22 this evening and upon adding a new API to my project, bumped into the same problem. Is this just a fact of life with Amplify? I have 11 functions, 5 api's which I can consolidate and 4 storage tables and one s3 bucket. Should I just give up trying to make this work? Not sure how to proceed ... |
|
@jgmurray23 I ended up editing all policies manually to reduce the size. You can do it by finding policies in files with this naming format (mostly): For example, let's say we have two paths on an API but their policy is the same and let's say like me you're using Imagine that this could be the case for all endpoints that you specified for each group and each path, so on this example we can combine them into one (manually of course) to save some space: If it's not clear, in the second block I replaced the 2 polcies using a wild card instead of the path because my group has the same permission on both
Well, I'm not saying this is the best solution but at least you won't get stuck until the community can think of a better way. |
|
Super cool thanks for your help! I need to learn more about policies anyway - I figured I was in for some manual manipulation - so be it. I totally understand this is a community project - and these folks have done amazing work - but what I can't understand is how AWS can market this so hard, with some many testimonials when obvious limitations like this exist - bit of naivety on my part of course - but it still boggles my mind! |
You're most welcome! |
|
Hi @attilah @kaustavghosh06 - You closed this issue on 10th December 2019 but since then many people are still reporting that the problem exists and I have encountered it myself today using CLI version 4.41.0 I'm wondering if this was incorrectly closed in response to issue #2883 which solved the same problem but for GraphQL API policy. The fix there was to change to use managed policies split by size. If there was a similar fix for this issue with API Gateway would we not expect the same approach to be evident? Currently the API Gateway policies are still just all aggregated inline on the auth role policy. Given that, is there any other solution other than the manual methods suggested above for editing the API cloudformation templates? Many thanks |
edwardfoyle
added
bug
|
@adriangostling we reopened it to track as an active workitem, the changes for policy slicing was only done for GraphQL APIs not REST ones back then. |
|
Running into this issue as well |
|
Appreciate all of the work on this issue! We've just run into this issue, and I've noticed that it looks like a fix was merged recently. Do we know when we can expect this fix to be available? It's currently halting development. Thanks so much! Love Amplify! |
|
👋 Hi, this issue was referenced in the v4.50.0 release! Check out the release notes here https://github.com/aws-amplify/amplify-cli/releases/tag/v4.50.0. |
github-actions
bot
added
the
referenced-in-release
|
This has been addressed in the latest version of the CLI |
|
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
Our application has 11 API Gateway definitions with multiple endpoints (GET, POST, PUT, DELETE). Each endpoint restricts API access to authorized users. We're running into the error condition "Maximum policy size of 10240 bytes exceeded for role" when the IAM authRole is updated. I've read that we should split up the authRole but I don't see how to do that in Amplify. Any help would be greatly appreciated as this error condition is limiting our ability to use Amplify.
The text was updated successfully, but these errors were encountered: