(iam) Role policies are frequently exceeding 10kB

[Larkenx]

aws-cdk/packages/@aws-cdk/aws-iam/lib/role.ts

Lines 300 to 302 in e7f09cb

	private readonly managedPolicies: IManagedPolicy[] = [];
	private readonly attachedPolicies = new AttachedPolicies();
	private readonly inlinePolicies: { [name: string]: PolicyDocument };

In order to support better flexibility when cleaning up the inline policy statements after creating large AWS CDK Stacks with several inline IAM policies, we'd like to be able to have read access on these fields so that we can de-dupe action & resource in line policies that are the same, but repeated numerous times.

We're frequently exceeding the 10kb policy limit size, and looking for ways to improve this.

[rix0rrr]

I don't think giving you more access to mess around in CDK internals is the right solution.

It makes sense to me for example to combine resources from otherwise identical policy statements, that's an optimization we can do.

How is this happening for you, what would you personally be doing about this?

As a temporary workaround, you can make your own subclass of Role which implements your optimizations, or pass role.withoutPolicyUpdates() to constructs and just provide the complete policy document yourself.

[Larkenx]

@rix0rrr I agree after tinkering with this for a few days.

We ended up combining our IAM policy statements using Aspects to reduce the size of our inline policy down to below the character quota instead of trying to patch/exclude grants on the IAM Role along the way

How is this happening for you, what would you personally be doing about this?

We have a lot of custom higher level constructs that often results involve large amounts of AWS resources, and they're usually done with passing around a single IAM Role and granting it on all the resources.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.