[EKS][eks-pod-identity]: EKS Pod Identity STS packedPolicySize is too large when chaining roles

[taraspos]

Summary

I want to use EKS Pod Identities as credentials source for my application, which uses Role Chaining to assume other roles.
My application also relies on set of required Session Tags that should be passed to when assuming the role, however AssumeRole call is failing with:

    "errorCode": "PackedPolicyTooLargeException",
    "errorMessage": "Packed size of session tags consumes 112% of allotted space.",

I performed set of tests to record packedPolicySize value in CloudFront events:

Test	packedPolicySize	Comment
Assuming role without EKS Pod Identities with required custom Session Tags	37	This is a baseline of policy size required by my application.
Assuming role with EKS Pod Identity with required custom Session Tags	112	PackedPolicyTooLargeException
Assuming role with EKS Pod Identity without any session tags	74	❗️ EKS Pod Identity session by itself consumes 74% of the limit ❗️

Based on the above, we can see that assuming role using EKS Pod Identity leaves only 26% of PackedPolicyLimit, which is not enough for any type of custom ABAC policies.

It's unclear where all of those 74% are coming from, because according to the AssumeRole documentation says that it shouldn't:

TransitiveTagKeys.member.N
A list of keys for session tags that you want to set as transitive. If you set a tag key as transitive, the corresponding key and value passes to subsequent sessions in a role chain. For more information, see Chaining Roles with Session Tags in the IAM User Guide.

This parameter is optional. When you set session tags as transitive, the session policy and session tags packed binary limit is not affected.

https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

---

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
What do you want us to build?

Which service(s) is this request for?
This could be Fargate, ECS, EKS, ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.

Are you currently working around this issue?
How are you currently solving this problem?

Additional context
Anything else we should know?

Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)