CodePipeline: AssetsFileRoleDefaultPolicy exceeds IAM policy limit (10KB) when deploying to ~72 targets #19939
Assignees
Labels
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
in-progress
This issue is being actively worked on.
p1
Comments
AhmadDaoud
added
bug
github-actions
bot
added
the
@aws-cdk/aws-iam
AhmadDaoud
changed the title
github-actions
bot
added
the
@aws-cdk/aws-codepipeline
|
This is a common issue unfortunately, we're tracking all the issues similar to this here and are trying to figure out the best ways to approach this problem. Thanks for sharing your experience 🙂 |
peterwoodworth
added
p1
and removed
@aws-cdk/aws-codepipeline
rix0rrr
added a commit
that referenced
this issue
May 3, 2022
Two changes: - Collapse CodeBuild action Roles: each CodeBuild step used to create a fresh Role to run the CodeBuild action. Change to use one Role for all CodeBuild actions. This saves a lot of resources and policy space when using a lot of CodeBuild steps, and doesn't appreciably change the security posture of the Pipeline (note: this is *not* about the Execution Role of the CodeBuild projects, this is about the Role assumed by the Pipeline to initiate execution of the Project). - If inline policies grow bigger than 10k, split additional statements off into ManagedPolicies. Since we want to do the splitting post-merging (to get the most bang for our buck), we now need to do statement merging during the `prepare` phase (that is, pre-rendering, instead of post-rendering). That means it had to be modified to work on `PolicyStatement` objects, instead of on raw IAM JSON documents. Closes #19276, closes #19939, closes #19835.
rix0rrr
added a commit
that referenced
this issue
May 3, 2022
Two changes: - Collapse CodeBuild action Roles: each CodeBuild step used to create a fresh Role to run the CodeBuild action. Change to use one Role for all CodeBuild actions. This saves a lot of resources and policy space when using a lot of CodeBuild steps, and doesn't appreciably change the security posture of the Pipeline (note: this is *not* about the Execution Role of the CodeBuild projects, this is about the Role assumed by the Pipeline to initiate execution of the Project). - If inline policies grow bigger than 10k, split additional statements off into ManagedPolicies. Since we want to do the splitting post-merging (to get the most bang for our buck), we now need to do statement merging during the `prepare` phase (that is, pre-rendering, instead of post-rendering). That means it had to be modified to work on `PolicyStatement` objects, instead of on raw IAM JSON documents. Closes #19276, closes #19939, closes #19835.
skinny85
added
effort/medium
rix0rrr
added a commit
that referenced
this issue
May 18, 2022
(This change has been split off from #20189 because that PR was growing too big) Collapse CodeBuild action Roles: each CodeBuild step used to create a fresh Role to run the CodeBuild action. Change to use one Role for all CodeBuild actions. This saves a lot of resources and policy space when using many CodeBuild steps, and doesn't appreciably change the security posture of the Pipeline (note: this is not about the Execution Role of the CodeBuild projects, this is about the Role assumed by the Pipeline to initiate execution of the Project). Relates to #19276, #19939, #19835.
4 tasks
rix0rrr
added a commit
that referenced
this issue
May 18, 2022
We add all Role policy statements to the Inline policy, which has a maximums size of 10k. Especially when creating CDK Pipelines that deploy to a lot of environments, the list of Role ARNs the Pipeline should be allowed to assume exceeds this size. Roles also have the ability to have Managed Policies attached (10 by default, 20 with a quota increase), each of them can be 6k in size. By spilling over from inline policies into Managed Policies we can get a total of 70k of statements attached to reach Role. This PR introduces `IComparablePrincipal` to be able to value-compare two principals: since we want to merge first before we split (to get the most bang for our buck), we now need to do statement merging during the prepare phase, while we are still working on the object graph (instead of the rendered CloudFormation template). * That means statement merging had to be modified to work on PolicyStatement objects, which requires being able to compare Principal objects. Closes #19276, closes #19939, closes #19835.
4 tasks
mergify bot
pushed a commit
that referenced
this issue
May 24, 2022
(This change has been split off from #20189 because that PR was growing too big) Collapse CodeBuild action Roles: each CodeBuild step used to create a fresh Role to run the CodeBuild action. Change to use one Role for all CodeBuild actions. This saves a lot of resources and policy space when using many CodeBuild steps, and doesn't appreciably change the security posture of the Pipeline (note: this is not about the Execution Role of the CodeBuild projects, this is about the Role assumed by the Pipeline to initiate execution of the Project). Relates to #19276, #19939, #19835. ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
|
Hi, do we get the solution of the above described problem, I am facing the same. @AhmadDaoud |
|
@Aayush-gupta10 this issue should have been fixed by #20400, and available in version If you did all that, and things are still not working, please open a new issue (this one is closed already), showing your code, the command you're running, and the error that you get. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
In order for CDK actions to deploy to remote accounts/regions, CloudFormation templates and local assets (i.e. Lambda zip files) are uploaded to an assets bucket in each of those accounts/regions.
As the CDK manages
AssetsFileRoleDefaultPolicyassociated to the IAM role used by CodeBuild to publish those assets, it keeps updating it with allow actions for assuming the remotefile-publishing-roleroles creating by the bootstrap process. This method of 1 block per account/region pair causes the policy size to exceed IAM policy maximum limit at 72 targets (72 accounts in 1x region, or 31 in 2x regions, etc.).Expected Behavior
It is common for enterprises to deploy to 100s (if not 1000s of targets). We expect the CDK to allow us to pass our own policies for every stage of the pipeline, including assets publishing stage. We also expect the CDK to be aware of CloudFormation and IAM limits and abstract the complexity of managing those services.
Current Behavior
This is an example of the policy created by the CDK (minified size > 10KB)
Reproduction Steps
You can reproduce the issue by creating a CodePipeline with actions deploying assets to ~72 account/region pairs.
Possible Solution
Similar to the CodePipeline Pipeline role that we can pass, allowing us to pass an assets publishing role or policy would solve the problem.
Additional Information/Context
No response
CDK CLI Version
2.20.0
Framework Version
No response
Node.js Version
6.14.15
OS
Amazon Linux 2
Language
Python
Language Version
Python 3.8.13
Other information
No response
The text was updated successfully, but these errors were encountered: