stackoom
  简体   繁体   中英

The final policy size is bigger than the limit (20480)

 原文  2019-10-19 23:26:52       amazon-web-services/ aws-lambda/ aws-api-gateway/ amazon-cognito

Question

Apparently, I reached the limit for the policy of my lambda function which I use with aws-cognito and aws-api-gateway:

The final policy size is bigger than the limit (20480)

So my lambda-function is filled with all the permitted endpoints from the api-gateway, fe:

{
      "Sid": "eff74414-a6bd-4520-bf67-691ced3245d5",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:eu-central-1:ID:function:FUNCTION",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:execute-api:eu-central-1:ID:API_ID/*/GET/company"
        }
      }
    },
    {
      "Sid": "6d52e172-84b6-4196-b924-f83b78153bc5",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:eu-central-1:ID:function:FUNCTION",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:execute-api:eu-central-1:ID:API_ID/*/GET/companies"
        }
      }
    },
...

I know there is a way to consolidate these, using the aws cli, fe:

aws lambda add-permission --function-name 'FUNCTION' --statement-id '7bd8e791-7d28-41d0-9ebd-7e2596574fd5' --action "lambda:InvokeFunction" --principal "apigateway.amazonaws.com" --source-arn "arn:aws:execute-api:eu-central-1:ID:API_ID/*/GET/*/*/*" --source-account "ID" --region 'eu-central-1'

Although I can add this permission, it's not valid:

The API with ID API_ID does not include a resource with path ///* having an integration arn:aws:lambda:eu-central-1:ID:function:FUNCTION on the GET method.

So what can I do to consolidate all my api-permissions?

1 answers

solution1
 0  2019-10-20 00:24:03

Alright, so I found a solution. I set an Execution role on each Integration Request per resource-method in the API-Gateway.

This execution role needs to have a trusted relationship with the api-gateway - then it will finally work:)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question The final policy size is bigger than the limit of 20480 - AWS ELK aws-cdk LambdaRestApi: The final policy size is bigger than the limit AWS function policy is bigger than the limit AWS policy to limit S3 data size per IAM user How to limit EC2 EBS volume size for ec2:RunInstances in IAM policy? AWS DynamoDB put item size limit exception for item size less than 400KB AWS API GW Resource Policy document larger than the maximum allowed size AWS sns subscription filter policy limit Scala AWS size limit AWS Bucket Policy - limit access to a bucket with bucket policy
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM