Aws-cdk: ECS Secrets from SSM ParamStore exceeds IAM Policy size

Created on 8 Jun 2020  路  4Comments  路  Source: aws/aws-cdk

I'm unable to deploy my stack that makes use of ECS Secrets. I'm trying to use 58 ECS Secrets (current hard limit is 60) but how CDK is currently writing the IAM Policy for the Execution Role I'm hitting a limit with the IAM Policy.

The limit is being hit because CDK is adding a statement to the policy per parameter which creates a lot of duplication within the statement.

            Resource:
              Fn::Join:
                - ""
                - - "arn:"
                  - Ref: AWS::Partition
                  - :ssm:us-east-2:065449092177:parameter/application/parameter1
          - Action:
              - ssm:DescribeParameters
              - ssm:GetParameters
              - ssm:GetParameter
              - ssm:GetParameterHistory
            Effect: Allow

Reproduction Steps

Sorry, I don't have a stack that I can share.

  1. Create ECS Application w/60 secrets
  2. cdk deploy

Error Log

Maximum policy size of 10240 bytes exceeded for role

Environment

  • CLI Version : 1.44.0
  • Framework Version: 1.44.0
  • Node.js Version: v12.16.1
  • OS : macOS 10.15.5
  • Language (Version): TypeScript (3.7.2)

Other

My ideal solution would be an additional parameter for ecs.Secret.fromSsmParameter that gives the option to skip the grant. My stack already appends a Managed Policy to the Execution Role that has all of the access necessary for my application to pull the parameters.

A more immediate option would be to group all of the SSM parameter grants into a single statement to dramatically reduce the duplication of the Action statements 60 times

This is :bug: Bug Report

@aws-cdaws-ecs @aws-cdaws-iam bug efformedium p2
Source
picture cynicaljoy
👍5

All 4 comments

As a workaround you can always pass role.withoutPolicyUpdates() to avoid policies from getting added.

rix0rrr picture rix0rrr on 16 Jun 2020

I've come across a similar issue, I found that when using ecs.Secret.fromSSMParameter or ecs.Secret.fromSecretsManager an IAM grant is automatically added to the IAM role assigned to the TaskDefinition.
You can see the implementation here and here
The function is then invoked during the object creation here

CDK could make this better by adding an optional flag to disable autocreation of the additional IAM statements.

As a workaround you can do the following:

secretsObj = ecs.Secret.fromSecretsManager(secret);
//add a no-op function to avoid IAM statement creation
secretsObj.grantRead = function(){};
mriccia picture mriccia on 11 Sep 2020
👍1

Guys i had the same problem, when using an existing role, until i found the option mutable:

Role.fromRoleArn(this, 'ECSTaskExecutionRole', 'MyExecutionRoleArn', { mutable: false }),
LeandroSoares picture LeandroSoares on 1 Oct 2020
😄1

@rix0rrr Would it take significant work to group the ssm secrets into one statement

kyler-hyuna picture kyler-hyuna on 8 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

vgribok picture vgribok  路  3Comments
NukaCody picture NukaCody  路  3Comments
PaulMaddox picture PaulMaddox  路  3Comments
abelmokadem picture abelmokadem  路  3Comments
peterdeme picture peterdeme  路  3Comments