amplify-cli: IAM policy size exceeded
I just created a fresh amplify project.
- Amplify init
- amplify add api
- amplify push
- amplify add api
- amplify push / amplify push api < errors here
CREATE_FAILED AuthRolePolicy AWS::IAM::Policy Thu Nov 07 2019 20:31:40 GMT+0200 (South Africa Standard Time) Maximum policy size of 10240 bytes exceeded for role amplify-culture-app-dev-163322-authRole (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: e116276c-a03f-469a-b0f5-e0ac1fc43460)
CREATE_FAILED UnauthRolePolicy AWS::IAM::Policy Thu Nov 07 2019 20:31:39 GMT+0200 (South Africa Standard Time) Maximum policy size of 10240 bytes exceeded for role amplify-culture-app-dev-163322-unauthRole (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded; Request ID: 93255697-fe0d-4f4f-a085-69a63574d832)
I simply copied the schema from my working project and added it into the new one. I can’t event see the policy amplify creates to see why it is too long.
Most models look similar to this:
`type City @model
@key(name: "cityByName", fields: ["title"], queryField: "findCityByName")
@auth(rules: [
{ allow: groups, groups: ["admin"] },
{ allow: groups, groups: ["users"], operations: [read] },
{ allow: public, provider: iam, operations: [read] }
])
@searchable {
id: ID!
title: String!
description: String
country: String
continent: String
location: Location
timezoneOffset: Float
currency: String
images: [String]
createdAt: Float!
updatedAt: Float!
}
`
any ideas as this is a blocker… again.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 1
- Comments: 27 (15 by maintainers)
Commits related to this issue
- fix: #2703 - policy size calculation (#3016) — committed to aws-amplify/amplify-cli by deleted user 5 years ago
@nujhong could you please send us these to amplify-cli@amazon.com:
Wanted to follow up - this was released in the latest version of the CLI. Please do update and let us know how things are going.
The fix is not released yet. It will be in the next release
@warrenmcquinn Got it. Yes, we’ve in communication with the IAM service as well and with managed policy there is some flexibility around quotas and limits as you’ve mentioned. We’re planning on working towards moving the policies (at-least for AppSync due to its verbosity) from in-line to managed policy for this flexibility.
@houmark I’d commented on this issue 24 hours back and our team has been looking into this for the last couple of days. We are definitely not trying to be silent about it. There are moving pieces here that need to be thought out in detail. The solution mentioned by @warrenmcquinn has limitations since there’s a max of 10 IAM Managed policy that you can attach to any role. So if we have a managed policy per model as recommended by @warrenmcquinn - you’d have max limit of 10 models (which can have IAM auth on it), which is again a limitation.
Also, each of the managed policy also has a limit of 10,240 bytes, so we cannot group the policies into one role. We can strategize and enforce some bucketing mechanisms to fill in policies dynamically into the 10 IAM managed policies which we can attach to the auth and unauth roles, but still it would be easy for someone with a large number of models and field level authorizations with IAM to surpass this number.
In my response above, I’d mentioned that until we find out and release a solution as a potential workaround, was to raise a AWS support request for a increase in the IAM policy limits and in no ways was an excuse to not solve the problem. Our team tries really hard to address issues and concerns and sometimes issues are non-trivial like this one and it takes more time, thought, and testing
Also, for other categories we don’t generate managed policies - and they’re inline as well, so managed policies would be something new for the CLI. We didn’t anticipate the policy size exceeding since we didn’t have test cases which would exceed the IAM policy size limit.