ECS Secrets from SSM ParamStore exceeds IAM Policy size

[cynicaljoy]

I'm unable to deploy my stack that makes use of ECS Secrets. I'm trying to use 58 ECS Secrets (current hard limit is 60) but how CDK is currently writing the IAM Policy for the Execution Role I'm hitting a limit with the IAM Policy.

The limit is being hit because CDK is adding a statement to the policy per parameter which creates a lot of duplication within the statement.

            Resource:
              Fn::Join:
                - ""
                - - "arn:"
                  - Ref: AWS::Partition
                  - :ssm:us-east-2:065449092177:parameter/application/parameter1
          - Action:
              - ssm:DescribeParameters
              - ssm:GetParameters
              - ssm:GetParameter
              - ssm:GetParameterHistory
            Effect: Allow

Reproduction Steps

Sorry, I don't have a stack that I can share.

1. Create ECS Application w/60 secrets
2. cdk deploy

Error Log

Maximum policy size of 10240 bytes exceeded for role

Environment

• CLI Version : 1.44.0
• Framework Version: 1.44.0
• Node.js Version: v12.16.1
• OS : macOS 10.15.5
• Language (Version): TypeScript (3.7.2)

Other

My ideal solution would be an additional parameter for ecs.Secret.fromSsmParameter that gives the option to skip the grant. My stack already appends a Managed Policy to the Execution Role that has all of the access necessary for my application to pull the parameters.

A more immediate option would be to group all of the SSM parameter grants into a single statement to dramatically reduce the duplication of the Action statements 60 times

---

This is 🐛 Bug Report

[rix0rrr]

As a workaround you can always pass role.withoutPolicyUpdates() to avoid policies from getting added.

[mriccia]

I've come across a similar issue, I found that when using ecs.Secret.fromSSMParameter or ecs.Secret.fromSecretsManager an IAM grant is automatically added to the IAM role assigned to the TaskDefinition.
You can see the implementation here and here
The function is then invoked during the object creation here

CDK could make this better by adding an optional flag to disable autocreation of the additional IAM statements.

As a workaround you can do the following:

secretsObj = ecs.Secret.fromSecretsManager(secret);
//add a no-op function to avoid IAM statement creation
secretsObj.grantRead = function(){};

[LeandroSoares]

Guys i had the same problem, when using an existing role, until i found the option mutable:

Role.fromRoleArn(this, 'ECSTaskExecutionRole', 'MyExecutionRoleArn', { mutable: false }),

[kyler-hyuna]

@rix0rrr Would it take significant work to group the ssm secrets into one statement