Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[@aws-cdk/pipelines] Maximum policy size of 10240 bytes exceeded for role #9316

Closed
seawatts opened this issue Jul 29, 2020 · 1 comment · Fixed by #9333
Closed

[@aws-cdk/pipelines] Maximum policy size of 10240 bytes exceeded for role #9316

seawatts opened this issue Jul 29, 2020 · 1 comment · Fixed by #9333
Assignees
@njlynch
Labels
@aws-cdk/pipelines CDK Pipelines library bug This issue is a bug. in-progress This issue is being actively worked on. p1

Comments

@seawatts
Copy link

❓ General Issue

The Question

After adding around 5 stacks to a single Pipeline Application (Stage) the pipeline references 15 assets and new reused PipelineAssetRole policy grows to be too large, blocking the pipeline and making it unusable.

Just tried out the latest fix (#9243) with v1.55.0 But now I am seeing this error when deploying.

Maximum policy size of 10240 bytes exceeded for role PipelineStack-PipelineAssetsRole9B011X83-1UOLXJQTUXXXX

Environment

  • CDK CLI Version: 1.55.0 (build 48ccf09)
  • Module Version: 1.55.0
  • Node.js Version: v14.5.0
  • OS: OSX Catalina
  • Language (Version): TypeScript (3.9.7)

Other information

Related:
#9225
@seawatts seawatts added guidance Question that needs advice or information. needs-triage This issue or PR still needs to be triaged. labels Jul 29, 2020
@github-actions github-actions bot added the @aws-cdk/pipelines CDK Pipelines library label Jul 29, 2020
@njlynch njlynch assigned njlynch and unassigned ericzbeard Jul 29, 2020
@njlynch njlynch added bug This issue is a bug. p1 and removed guidance Question that needs advice or information. needs-triage This issue or PR still needs to be triaged. labels Jul 29, 2020
@njlynch
Copy link
Contributor

njlynch commented Jul 29, 2020

The individual statements for a single asset within the PipelineAssetsRoleDefaultPolicy comes in at ~2400 bytes; this means the current approach only scales to about 4-5 assets before we will hit this policy size limit.

njlynch added a commit that referenced this issue Jul 29, 2020
@njlynch
fix(pipelines): reduce assets IAM policy size
14d8a47 
Collapse the PipelineAssetsRoleDefaultPolicy into a single up-front policy that
doesn't grow per-asset. This relaxes some of the permissions in exchange for
avoiding an O(N) policy size.

fixes #9316
@njlynch njlynch mentioned this issue Jul 29, 2020
Merged
@SomayaB SomayaB added the in-progress This issue is being actively worked on. label Jul 30, 2020
@mergify mergify bot closed this as completed in #9333 Jul 30, 2020
mergify bot pushed a commit that referenced this issue Jul 30, 2020
@njlynch
fix(pipelines): reduce assets IAM policy size (#9333)
88d563f 
Collapse the PipelineAssetsRoleDefaultPolicy into a single up-front policy that
doesn't grow per-asset. This relaxes some of the permissions in exchange for
avoiding an O(N) policy size.

fixes #9316

_Testing notes:_ Successfully deployed a pipeline with 49 assets (25 file assets and 24 docker assets). 50 assets is the limit for a single stage of the pipeline. To scale out past 50 assets, we will need to segment the assets pipeline stage into multiple stages. I'm considering that out-of-scope for this bugfix.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
curtiseppel pushed a commit to curtiseppel/aws-cdk that referenced this issue Aug 11, 2020
@njlynch
fix(pipelines): reduce assets IAM policy size (aws#9333)
7816dfc 
Collapse the PipelineAssetsRoleDefaultPolicy into a single up-front policy that
doesn't grow per-asset. This relaxes some of the permissions in exchange for
avoiding an O(N) policy size.

fixes aws#9316

_Testing notes:_ Successfully deployed a pipeline with 49 assets (25 file assets and 24 docker assets). 50 assets is the limit for a single stage of the pipeline. To scale out past 50 assets, we will need to segment the assets pipeline stage into multiple stages. I'm considering that out-of-scope for this bugfix.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@NGL321 NGL321 mentioned this issue Mar 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@njlynch njlynch

Labels
@aws-cdk/pipelines CDK Pipelines library bug This issue is a bug. in-progress This issue is being actively worked on. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(pipelines): reduce assets IAM policy size aws/aws-cdk
4 participants
@ericzbeard @njlynch @seawatts @SomayaB