CodePipeline/CodeBuild: Maximum policy size of 10240 bytes exceeded for role xxx-role #4465
Assignees
Labels
@aws-cdk/aws-codebuild
Related to AWS CodeBuild
@aws-cdk/aws-codepipeline
Related to AWS CodePipeline
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
bug
This issue is a bug.
in-progress
This issue is being actively worked on.
p1
Comments
markusl
added
bug
|
Thanks for opening the issue @markusl . We are aware of this problem, and are planning to tackle it in #2985. In the meantime, you can add the following "wrapper" class for class ImmutableRole implements iam.IRole {
private readonly role: iam.IRole;
constructor(role: iam.IRole) {
this.role = role;
}
readonly assumeRoleAction = this.role.assumeRoleAction;
readonly grantPrincipal = this.role.grantPrincipal;
readonly node = this.role.node;
readonly policyFragment = this.role.policyFragment;
readonly roleArn = this.role.roleArn;
readonly roleName = this.role.roleName;
readonly stack = this.role.stack;
addManagedPolicy(policy: iam.IManagedPolicy): void {
// do nothing
}
addToPolicy(statement: iam.PolicyStatement): boolean {
return false;
}
attachInlinePolicy(policy: iam.Policy): void {
// do nothing
}
grant(grantee: iam.IPrincipal, ...actions: string[]): iam.Grant {
return this.role.grant(grantee, ...actions);
}
grantPassRole(grantee: iam.IPrincipal): iam.Grant {
return this.role.grantPassRole(grantee);
}
}And use it in your code: const pipeline = new codepipeline.Pipeline(stack, `Pipeline`, {
pipelineName: name,
role: new ImmutableRole(codePipelineRole(stack)), // Import role
artifactBucket: bucket,
});
const source = new codepipeline.Artifact('Source');
pipeline.addStage({
stageName: 'Source',
actions: [
new codepipeline_actions.CodeCommitSourceAction({
actionName: 'Source',
repository,
output: source,
role: new ImmutableRole(codeCommitRole(stack)), // Import role
}),
],
});
const buildOutput = new codepipeline.Artifact();
pipeline.addStage({
stageName: 'Build',
actions: [
new codepipeline_actions.CodeBuildAction({
actionName: 'Build',
input: source,
project,
outputs: [buildOutput],
role: new ImmutableRole(pipeline.role),
}),
],
});
pipeline.addStage({
stageName: 'UpdateDev',
actions: [
// See https://github.com/aws/aws-cdk/issues/4375
new MyEcsDeployAction({
actionName: 'DeployImage',
clusterName: clusterNameDev,
serviceName: name,
input: buildOutput,
role: new ImmutableRole(crossAccountDeployerRole(stack)), // Import role
}),
],
});Hope this helps! Thanks, |
|
Also, if the roles that you're using are all imported, you can pass the const importedRole = iam.Role.fromRoleArn(this, 'R',
'arn:aws:iam::123456789012:role/role-name', {
mutable: false,
}
); |
SomayaB
added
@aws-cdk/aws-codebuild
|
Thanks for quick answer @skinny85 ! For the roles used in Our CodeBuildRole used for I also tried the |
|
Is your |
|
Yes it is. Sorry that I forgot to include this information before. // Here's a snippet from our templates
const project = new codebuild.Project(stack, `Project`, {
role: codeBuildRole(stack),
encryptionKey: artifactBucket.encryptionKey,
cache: codebuild.Cache.local(codebuild.LocalCacheMode.DOCKER_LAYER, codebuild.LocalCacheMode.SOURCE),
environment: {
buildImage: codebuild.LinuxBuildImage.STANDARD_2_0,
computeType: codebuild.ComputeType.MEDIUM,
privileged: true, // Needed for building Docker images within Docker
environmentVariables: { ... },
},
source: codebuild.Source.codeCommit({
repository
}),
vpc: ec2.Vpc.fromVpcAttributes(stack, `ProjectVpc`, Vpc),
}); |
|
Yeah, that won't work with |
|
Can you show me the code that leads to this error you posted above? This looks like you've passed |
|
That is actually weird one because it probably should be null. Here is a short repro for what I'm seeing: const role = new ImmutableRole(
iam.Role.fromRoleArn(stack, `CodeBuildRole`,
`arn:aws:iam::${DevopsAccountNumber}:role/CodeBuildRole`));If I split it to two parts I still get the error during synth: const rawRole = iam.Role.fromRoleArn(stack, `CodeBuildRole`, `arn:aws:iam::${DevopsAccountNumber}:role/CodeBuildRole`);
if (rawRole === undefined) {
throw new Error('undefined'); // This one is not thrown
}
const role = new ImmutableRole(rawRole);
/*
TypeError: Cannot read property 'assumeRoleAction' of undefined
at new ImmutableRole (pipeline-master.js:67:43)
at Object.exports.createCodeBuildProject (pipeline-master.js:99:18)
*/ |
|
Got it. I think it was a simple TypeScript error on my part. Try this: export class ImmutableRole implements iam.IRole {
constructor(private readonly role: iam.IRole) {
}
readonly assumeRoleAction = this.role.assumeRoleAction;
readonly grantPrincipal = this.role.grantPrincipal;
readonly node = this.role.node;
readonly policyFragment = this.role.policyFragment;
readonly roleArn = this.role.roleArn;
readonly roleName = this.role.roleName;
readonly stack = this.role.stack;
addManagedPolicy(policy: iam.IManagedPolicy): void {
// do nothing
}
addToPolicy(statement: iam.PolicyStatement): boolean {
return false;
}
attachInlinePolicy(policy: iam.Policy): void {
// do nothing
}
grant(grantee: iam.IPrincipal, ...actions: string[]): iam.Grant {
return this.role.grant(grantee, ...actions);
}
grantPassRole(grantee: iam.IPrincipal): iam.Grant {
return this.role.grantPassRole(grantee);
}
} |
|
Thanks for looking into this! The immutable role works now in a similar way than the imported immutable role which results in an error for each pipeline: |
|
Yeah, I know :/ This is kind of a miss on our part, but I have an idea for a fix. Stay tuned. |
skinny85
added a commit
to skinny85/aws-cdk
that referenced
this issue
Oct 14, 2019
This adds an IRole implementation that ignores all mutating operations. To accommodate this new behavior, add a new method to IIdentity: createAndAttachPolicy, which is meant to replace attachInlinePolicy, which can leave Policy resources unattached, which is illegal in CloudFormation. Fixes aws#2985 Fixes aws#4465
skinny85
added a commit
to skinny85/aws-cdk
that referenced
this issue
Oct 18, 2019
This adds an IRole implementation that ignores all mutating operations. To accommodate this new behavior, add a new method to IIdentity: createAndAttachPolicy, which is meant to replace attachInlinePolicy, which can leave Policy resources unattached, which is illegal in CloudFormation. Fixes aws#2985 Fixes aws#4465
skinny85
added a commit
to skinny85/aws-cdk
that referenced
this issue
Oct 21, 2019
This adds an IRole implementation that ignores all mutating operations. To accommodate this new behavior, add a new method to IIdentity: createAndAttachPolicy, which is meant to replace attachInlinePolicy, which can leave Policy resources unattached, which is illegal in CloudFormation. Fixes aws#2985 Fixes aws#4465
skinny85
added a commit
to skinny85/aws-cdk
that referenced
this issue
Oct 23, 2019
This adds an IRole implementation that ignores all mutating operations. To accommodate this new behavior, add a new method to IIdentity: createAndAttachPolicy, which is meant to replace attachInlinePolicy, which can leave Policy resources unattached, which is illegal in CloudFormation. Fixes aws#2985 Fixes aws#4465
skinny85
added
p1
@aws-cdk/aws-iam
rix0rrr
added a commit
that referenced
this issue
Jan 15, 2020
Add a new method to `Role` called `withoutPolicyUpdates()`, which returns a wrapper object that will drop all policy updates. This can be used in situations where you want to skip the default IAM permission adding behavior of CDK. Needs only be used with roles that are created in the same CDK application; for imported roles, supplying `mutable=false` when calling `Role.fromRoleArn()` is sufficient. Fixes #2985. Fixes #4465. Closes #4501.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We are deploying a set of CodePipeline & CodeBuild stacks with AWS CDK and hit the following errors:
As you can see, we are trying to use our custom build, pipeline and deployment roles for our setup.
We have setup the IAM roles so that they are limited to certain resources with certain prefixes in certain regions. The IAM roles are already suitable for pipeline, build and deployment usage. The problem seems to be that CDK adds more policies to the roles until the stack update is cancelled because the resource limit is exceeded.
In our use case we are forced to use hand-crafter CloudFormation templates until we can fully move to CDK. This is currently a blocker for us.
Reproduction Steps
Creating multiple pipelines with following code:
Proposed solution
Two possibilities come to my mind:
Provide a way to use the role as-is, without adding any new policies and assume it has been already set up properly.
Another way could possibly be to create new policies rather than inline policies that fill up the limited space very quickly.
Environment
This is🐛 Bug Report
The text was updated successfully, but these errors were encountered: