Maximum policy size of 10240 bytes exceeded for IAM Role

[SayeedMahmood]

Which Category is your question related to? It is related to amplify-api category.

Amplify CLI Version We are currently using amplify 5.0.0

What AWS Services are you utilizing? We are using AWS Serverless Stack. We are using AWS Cognito authentication and User Pool Groups. AWS Lambda, Cloudformation, DynamoDB, and AWS API Gateway. Region -> ap-south-1

While running the command "amplify push" we faced the issue of "Maximum policy size of 10240 bytes exceeded for role [region]_[id]-adminsGroupRole (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: 60ddbc7d-4ab3-4726-ba02-1900bdbc145f; Proxy: null)". We used a temporary fix (which I will mention below) so far, but it started coming up for other user groups, and the same fix does not work for them.

Example of one of the inline policies amplify creates - (including two methods. for admins they have all methods similarly)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": [
                "arn:aws:execute-api:[region]:[account-id]:[api-id]/[env]/POST/books/*",
                "arn:aws:execute-api:[region]:[account-id]:[api-id]/[env]/POST/books",
                "arn:aws:execute-api:[region]:[account-id]:[api-id]/[env]/GET/books/*",
                "arn:aws:execute-api:[region]:[account-id]:[api-id]/[env]/GET/books"
            ],
            "Effect": "Allow"
        }
    ]
}

The temporary fix for admins (only works when they need all permissions). Basically, put an asterisk "*" instead of a specific method in the autogenerated cloudformation template.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": [
                "arn:aws:execute-api:[region]:[account-id]:[api-id]/[env]/*/books/*",
                "arn:aws:execute-api:[region]:[account-id]:[api-id]/[env]/*/books"
            ],
            "Effect": "Allow"
        }
    ]
}

This would solve the issue. But as you can tell as the resources keep increasing, this issue will become impossible to fix. Especially when other group roles also start giving me this issue where they should have limited permissions.

I read about a similar issue here -- https://github.com/aws-amplify/amplify-cli/issues/2703 However, when I mentioned this on Amplify discord channel, I was informed that this issue looks similar and not the same.

I have noticed that the latest version for amplify cli is 10.2.0. (edit: I saw this in the release notes while the cli still says the latest as 10.0.0). I wanted to know if this issue is fixed in any later version. If so, I would also like to know which version we can transition into safely and any major changes we should be expecting. It would be great if you can also tell us any workaround if there's no fix.

[josefaidt]

Hey @SayeedMahmood :wave: thanks for taking the time to file this! I've marked this as a bug for the team to evaluate further 🙂

[FelixWaweru]

I am also having the same issue with my policies when running 'amplify push' in my cli

[ddotx]

I solved it by override api, see https://docs.amplify.aws/cli/restapi/override/

[BeastM0de]

I'm also facing this issue (Amplify CLI v11.1.1).

Workaround I used for now was to consolidate endpoints under a smaller set of base paths. Note: I had to manually remove policies from the role to give enough headroom for the stack to update successfully.

This limitation is going to be a problem in the long run as my API grows in complexity. Would like to see this addressed natively without having to override the generated resources.

[yaquawa]

same issue here.

[DougieDevMajor]

Same issue for me

[DougieDevMajor]

I solved it by override api, see https://docs.amplify.aws/cli/restapi/override/

Can you show us the code for this? @ddotx

[ddotx]

I mean on my case I can solve it by using the * to reduce the policy size.

import { AmplifyApiRestResourceStackTemplate } from '@aws-amplify/cli-extensibility-helper';

export function override(resources: AmplifyApiRestResourceStackTemplate) {
  resources.policies['xxx'].groups['xxx'].policyDocument = { ... }

see this https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html

[yashBrahma]

Hey @SayeedMahmood 👋 thanks for taking the time to file this! I've marked this as a bug for the team to evaluate further 🙂

Any Updates on this issue @josefaidt We are also facing the same issue

[Tran-Minh23]

`

resources.policies["/chart"].groups['AdminUser'].policyDocument = {
    "Statement": [{
        "Effect": "Allow",
        "Action": "execute-api:Invoke",
        "Resource": [
            `arn:aws:execute-api:ap-southeast-1:accountId:${resources.restApi.attrRestApiId}/${amplifyProjectInfo.envName}/*/chart`
        ]
    }]
}

}

` this is how I configure override the policy for each environment

[sonywijaya]

My temporary fix

amplify override api

then the override.ts

// This file is used to override the REST API resources configuration
import { AmplifyApiRestResourceStackTemplate, AmplifyProjectInfo } from '@aws-amplify/cli-extensibility-helper';

export function override(resources: AmplifyApiRestResourceStackTemplate, amplifyProjectInfo: AmplifyProjectInfo) {
    resources.policies["/path"].groups['Public'].policyDocument = {
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Action": "execute-api:Invoke",
            "Resource": [
                `arn:aws:execute-api:ap-southeast-1:[accountId]:${resources.restApi.ref}/${resources.deploymentResource.stageName}/*/*`
            ]
        }]
    }
}