CodePipeline/CodeBuild: Maximum policy size of 10240 bytes exceeded for role xxx-role #4465
Description
We are deploying a set of CodePipeline & CodeBuild stacks with AWS CDK and hit the following errors:
Maximum policy size of 10240 bytes exceeded for role xxx-CodeBuildRole (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: )
Maximum policy size of 10240 bytes exceeded for role xxx-CodePipelineRole (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: )
Maximum policy size of 10240 bytes exceeded for role xxx-CrossAccountDeployerRole (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID:)
As you can see, we are trying to use our custom build, pipeline and deployment roles for our setup.
We have setup the IAM roles so that they are limited to certain resources with certain prefixes in certain regions. The IAM roles are already suitable for pipeline, build and deployment usage. The problem seems to be that CDK adds more policies to the roles until the stack update is cancelled because the resource limit is exceeded.
In our use case we are forced to use hand-crafter CloudFormation templates until we can fully move to CDK. This is currently a blocker for us.
Reproduction Steps
Creating multiple pipelines with following code:
const pipeline = new codepipeline.Pipeline(stack, `Pipeline`, {
pipelineName: name,
role: codePipelineRole(stack), // Import role
artifactBucket: bucket,
});
const source = new codepipeline.Artifact('Source');
pipeline.addStage({
stageName: 'Source',
actions: [
new codepipeline_actions.CodeCommitSourceAction({
actionName: 'Source',
repository,
output: source,
role: codeCommitRole(stack), // Import role
}),
]
});
const buildOutput = new codepipeline.Artifact();
pipeline.addStage({
stageName: 'Build',
actions: [
new codepipeline_actions.CodeBuildAction({
actionName: 'Build',
input: source,
project,
outputs: [buildOutput],
role: pipeline.role,
}),
]
});
pipeline.addStage({
stageName: 'UpdateDev',
actions: [
// See https://github.com/aws/aws-cdk/issues/4375
new MyEcsDeployAction({
actionName: 'DeployImage',
clusterName: clusterNameDev,
serviceName: name,
input: buildOutput,
role: crossAccountDeployerRole(stack), // Import role
}),
]
});Proposed solution
Two possibilities come to my mind:
-
Provide a way to use the role as-is, without adding any new policies and assume it has been already set up properly.
-
Another way could possibly be to create new policies rather than inline policies that fill up the limited space very quickly.
Environment
- **CLI Version : 1.12.0
- **Framework Version: 1.12.0
- **OS : MacOS
- **Language : TypeScript
This is 🐛 Bug Report