aws-codepipeline: cross region support creates huge inline policy document for the pipeline role #16244
Description
We have a code pipeline setup with cross region support. The pipeline creates replication buckets in cross regions and pipeline internally adds permissions for these s3 buckets in the pipeline role here.
Something like this for each cross region:
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
],
"Resource": [
"arn:aws:s3:::<replicationbucket>",
"arn:aws:s3:::<replicationbucket>/*"
],
"Effect": "Allow"
},
Since an addAction is called for each region, we add a new policy statement every time with the same permissions, which is causing the pipeline role inline policy to exceed the iam policy size limit causing below error.
Maximum policy size of 10240 bytes exceeded for role <pipelinerole>
Similar issue is seen for the sts:AssumeRole permissions added here.
Reproduction Steps
Create a codepipeline with multiple stages and ~ 15 regions.
What did you expect to happen?
The role that pipeline created should be reduced / compacted. Since there are many duplicate actions for each resource, we can have a single policy statement with all resources.
We were adding new stages and regions in our pipeline when we observed this.
What actually happened?
Got this error when deploying the stack.
Maximum policy size of 10240 bytes exceeded for role <pipelinerole>
Environment
- CDK CLI Version : 1.23, I think the latest version has this bug too.
- Framework Version: 1.23
- Node.js Version: 12.x
- OS : MacOS
- Language (Version): TypeScript (3.8.3)
This is 🐛 Bug Report