Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(codebuild): Too many attached IAM polcies (>10) when reusing a role for many jobs #31198

Closed
1 task
straygar opened this issue Aug 23, 2024 · 3 comments
Closed
1 task

(codebuild): Too many attached IAM polcies (>10) when reusing a role for many jobs #31198

straygar opened this issue Aug 23, 2024 · 3 comments
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild @aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@straygar
Copy link

straygar commented Aug 23, 2024
edited
Loading

Describe the bug

I'm reusing the same role for CodeBuild jobs, to make cross-account role assumption easier.

I recently tried adding another project that uses the same role, and ran into the following error:

PDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Cannot exceed quota for PoliciesPerRole: 10 (Service: Iam, Status Code: 409, Request ID: f204aaa8-4799-442b-8e8f-0c481a828dc0)" (RequestToken: 72b7a0bc-37b1-5551-b4ee-faae910ecc84, HandlerErrorCode: ServiceLimitExceeded)

Most of the policies start with CodeBuildBasePolicy-, CodeBuildCachePolicy-, CodeBuildSecretsManagerPolicy- which I can't find a reference to in the CDK codebase? Is it created automatically by CodeBuild?

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The role is created successfully

Current Behavior

Deployment fails with the following:

UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "Cannot exceed quota for PoliciesPerRole: 10 (Service: Iam, Status Code: 409, Request ID: f204aaa8-4799-442b-8e8f-0c481a828dc0)" (RequestToken: 72b7a0bc-37b1-5551-b4ee-faae910ecc84, HandlerErrorCode: ServiceLimitExceeded)

Reproduction Steps

Try to use the same IAM role for 11 CodeBuild projects, e.g. (pseudo-code)

const role = new iam.Role(this, 'Role');
for (let i = 0; i < 11; i++) {
  new Project(this, `Project${i}`, { role });
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.121.1

Framework Version

No response

Node.js Version

18

OS

OSX

Language

TypeScript

Language Version

No response

Other information

No response
@straygar straygar added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 23, 2024
@github-actions github-actions bot added @aws-cdk/aws-iam Related to AWS Identity and Access Management @aws-cdk/aws-codebuild Related to AWS CodeBuild labels Aug 23, 2024
@straygar
Copy link
Author

Hmm... I'm actually not entirely sure where those policies are coming from. Some of them (like CodeBuildBasePolicy-${projectName}) are redundant, as the same permissions exist in the default policy of the role.

Maybe something weird happened when going between CDK versions, and old policies weren't cleaned up? No clue.

@straygar
Copy link
Author

I'm closing this issue, as it seems like it's not related to CDK. I removed some of the redundant policies, added a new job and didn't see new policies created. Not sure where they came from, but seems like it's no longer a problem.

@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild @aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@straygar