Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CodePipeline: Maximum policy size of 10240 bytes exceeded for role xxx #19243

Closed
poppoerika opened this issue Mar 4, 2022 · 2 comments
Closed

CodePipeline: Maximum policy size of 10240 bytes exceeded for role xxx #19243

poppoerika opened this issue Mar 4, 2022 · 2 comments
Labels
@aws-cdk/aws-codepipeline Related to AWS CodePipeline bug This issue is a bug. duplicate This issue is a duplicate.

Comments

@poppoerika
Copy link

What is the problem?

We have a CDK pipeline that creates several other CodePipelines during its execution. Most of the pipelines it creates deploy one or two CloudFormation stacks to various accounts. However, we recently attempted to add a new pipeline that deploys 5 CloudFormation stacks. Afterward we encountered the following error with the Logical ID xxxRoleDefaultPolicyxxx:

Maximum policy size of 10240 bytes exceeded for role xxx (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: xxx; Proxy: null)

It seems that more AssumeRole statements are added to the role as we add stacks to the pipeline until the stack update is cancelled due to exceeding the maximum policy size.

The following are a few examples of the PolicyDocument statements added automatically:

 {
                     "Action":"sts:AssumeRole",
                     "Effect":"Allow",
                     "Resource":{
                        "Fn::GetAtt":[
                           "xxxCodePipelineActionRolexxx",
                           "Arn"
                        ]
                     }
                  },
                  {
                     "Action":"sts:AssumeRole",
                     "Effect":"Allow",
                     "Resource":{
                        "Fn::GetAtt":[
                           "xxxPlaceholderActionNameCodePipelineActionRolexxx",
                           "Arn"
                        ]
                     }
                  },
                  {
                     "Action":"sts:AssumeRole",
                     "Effect":"Allow",
                     "Resource":{
                        "Fn::GetAtt":[
                           "xxxCodePipelineActionRolexxx",
                           "Arn"
                        ]
                     }
                  },

It seems that there are some policies created by CDK pipeline that grow in proportion to the number of resources in the child pipeline, so that after a certain point there is no way to deploy the CDK pipeline.

This has caused us not to be able to deploy all the stacks from a single stage in this wave, which resulted in extra engineer effort for the deployment.

Is there any way to prevent the policy from growing unbounded like this?

Please let us know if you need additional snippets from the generated template or anything else.

Reproduction Steps

--

What did you expect to happen?

The new CodePipeline that deploys 5 CloudFormation stacks in our CDK pipeline gets executed without any issues.

What actually happened?

Some policies created by CDK pipeline that grow in proportion to the number of resources in the child pipeline, so that after a certain point there is no way to deploy the CDK pipeline.

CDK CLI Version

2.4.0

Framework Version

No response

Node.js Version

--

OS

--

Language

Typescript

Language Version

4.4.2

Other information

No response
@poppoerika poppoerika added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 4, 2022
@github-actions github-actions bot added the @aws-cdk/aws-codepipeline Related to AWS CodePipeline label Mar 4, 2022
@NGL321 NGL321 added duplicate This issue is a duplicate. and removed needs-triage This issue or PR still needs to be triaged. labels Mar 4, 2022
@NGL321
Copy link
Contributor

NGL321 commented Mar 4, 2022

Hey @poppoerika,

Thank you for reporting this! This is a design problem we are well aware of and have a fix in progress. I am resolving this issue in favor of tracking via #16244 and the potentially resolving PR #19114

@NGL321 NGL321 closed this as completed Mar 4, 2022
@github-actions
Copy link

github-actions bot commented Mar 4, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@NGL321 NGL321 mentioned this issue Mar 8, 2022
Closed
@cprice404 cprice404 mentioned this issue Apr 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-codepipeline Related to AWS CodePipeline bug This issue is a bug. duplicate This issue is a duplicate.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@skinny85 @NGL321 @poppoerika