CodePipeline: AssetsFileRoleDefaultPolicy exceeds IAM policy limit (10KB) when deploying to ~72 targets #19939
Description
Describe the bug
In order for CDK actions to deploy to remote accounts/regions, CloudFormation templates and local assets (i.e. Lambda zip files) are uploaded to an assets bucket in each of those accounts/regions.
As the CDK manages AssetsFileRoleDefaultPolicy associated to the IAM role used by CodeBuild to publish those assets, it keeps updating it with allow actions for assuming the remote file-publishing-role roles creating by the bootstrap process. This method of 1 block per account/region pair causes the policy size to exceed IAM policy maximum limit at 72 targets (72 accounts in 1x region, or 31 in 2x regions, etc.).
Expected Behavior
It is common for enterprises to deploy to 100s (if not 1000s of targets). We expect the CDK to allow us to pass our own policies for every stage of the pipeline, including assets publishing stage. We also expect the CDK to be aware of CloudFormation and IAM limits and abstract the complexity of managing those services.
Current Behavior
This is an example of the policy created by the CDK (minified size > 10KB)
{
"accountsbaseliningpipelinexxxxxxxxxxxx0AssetsFileRoleDefaultPolicyxxxxxxxx": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":logs:region-1:xxxxxxxxxxxx:log-group:/aws/codebuild/*"
]
]
}
},
{
"Action": [
"codebuild:CreateReportGroup",
"codebuild:CreateReport",
"codebuild:UpdateReport",
"codebuild:BatchPutTestCases",
"codebuild:BatchPutCodeCoverages"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":codebuild:region-1:xxxxxxxxxxxx:report-group/*"
]
]
}
},
{
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild",
"codebuild:StopBuild"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-cdkqualifier-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-1"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-cdkqualifier-file-publishing-role-${AWS::AccountId}-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
},
{
"Fn::Sub": "arn:${AWS::Partition}:iam::xxxxxxxxxxxx:role/cdk-cdkqualifier-file-publishing-role-xxxxxxxxxxxx-region-2"
}
]
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"accountsbaseliningpipelinexxxxxxxxxxxx0skeletonArtifactsBucket2201989E",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"accountsbaseliningpipelinexxxxxxxxxxxx0skeletonArtifactsBucket2201989E",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"accountsbaseliningpipelinexxxxxxxxxxxx0skeletonArtifactsBucketEncryptionKeyF3A5899F",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "accountsbaseliningpipelinexxxxxxxxxxxx0AssetsFileRoleDefaultPolicyxxxxxxxx",
"Roles": [
{
"Ref": "accountsbaseliningpipelinexxxxxxxxxxxx0AssetsFileRolexxxxxxxx"
}
]
},
"Metadata": {
"aws:cdk:path": "cdk-deployment-pipelines/accounts-baselining-pipeline-3-xxxxxxxxxxxx/Assets/FileRole/DefaultPolicy/Resource"
}
}
}
Reproduction Steps
You can reproduce the issue by creating a CodePipeline with actions deploying assets to ~72 account/region pairs.
Possible Solution
Similar to the CodePipeline Pipeline role that we can pass, allowing us to pass an assets publishing role or policy would solve the problem.
Additional Information/Context
No response
CDK CLI Version
2.20.0
Framework Version
No response
Node.js Version
6.14.15
OS
Amazon Linux 2
Language
Python
Language Version
Python 3.8.13
Other information
No response