Docker.github.io: This policy creates an error on AWS: "Cannot exceed quota for PolicySize: 6144"

Created on 13 Mar 2018  路  5Comments  路  Source: docker/docker.github.io

Most helpful comment

For those using the policy from @joeyslack above. Please be careful, as the policy gives full, unrestricted access to all services due to the last, and third to last blocks:

{
    "Sid": "Stmt1487169681009",
    "Effect": "Allow",
    "Action": [
        "*"   // No colon = all services
    ],
    "Resource": [
        "*"
    ]
}

You can change these to elasticloadbalancing:* and lambda:* for a slightly more restricted policy that will work with Docker For AWS

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1481924239005",
            "Effect": "Allow",
            "Action": [
                "cloudformation:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924344000",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924651000",
            "Effect": "Allow",
            "Action": [
                "autoscaling:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924759004",
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924854000",
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924989003",
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924989002",
            "Effect": "Allow",
            "Action": [
                "iam:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924989001",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1487169681000",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1487169681009",
            "Effect": "Allow",
            "Action": [
                "lambda:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

All 5 comments

/cc @FrenchBen

I solved it.

The linked document (https://docs.docker.com/docker-for-aws/iam-permissions/) is what is supposed to to be the ideal policy. Error was "Cannot exceed quota for PolicySize: 6144" - which I've seen other issues about.

I fixed it by consolidating the policy, which fully resolves the issue. It's just too long. I haven't tried compressing, but that probably doesn't help?

Final, working solution (as modified from the docker resource), to those who surf:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1481924239005",
            "Effect": "Allow",
            "Action": [
                "cloudformation:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924344000",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924651000",
            "Effect": "Allow",
            "Action": [
                "autoscaling:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924759004",
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924854000",
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924989003",
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924989002",
            "Effect": "Allow",
            "Action": [
                "iam:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924989001",
            "Effect": "Allow",
            "Action": [
                "*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1487169681000",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1487169681009",
            "Effect": "Allow",
            "Action": [
                "*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

TLDR: I added wildcard selectors to each "action" of unique resource, instead of listing all individual permissions individually (resulting in too long of a file)

For those using the policy from @joeyslack above. Please be careful, as the policy gives full, unrestricted access to all services due to the last, and third to last blocks:

{
    "Sid": "Stmt1487169681009",
    "Effect": "Allow",
    "Action": [
        "*"   // No colon = all services
    ],
    "Resource": [
        "*"
    ]
}

You can change these to elasticloadbalancing:* and lambda:* for a slightly more restricted policy that will work with Docker For AWS

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1481924239005",
            "Effect": "Allow",
            "Action": [
                "cloudformation:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924344000",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924651000",
            "Effect": "Allow",
            "Action": [
                "autoscaling:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924759004",
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924854000",
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924989003",
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924989002",
            "Effect": "Allow",
            "Action": [
                "iam:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924989001",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1487169681000",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1487169681009",
            "Effect": "Allow",
            "Action": [
                "lambda:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Closing this ticket due to its age, and the impending refactor. If you think this is in error, feel free to reopen. Thanks!

For those using the policy from @joeyslack above. Please be careful, as the policy gives full, unrestricted access to all services due to the last, and third to last blocks:

{
    "Sid": "Stmt1487169681009",
    "Effect": "Allow",
    "Action": [
        "*"   // No colon = all services
    ],
    "Resource": [
        "*"
    ]
}

You can change these to elasticloadbalancing:* and lambda:* for a slightly more restricted policy that will work with Docker For AWS

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1481924239005",
            "Effect": "Allow",
            "Action": [
                "cloudformation:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924344000",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924651000",
            "Effect": "Allow",
            "Action": [
                "autoscaling:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924759004",
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924854000",
            "Effect": "Allow",
            "Action": [
                "logs:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924989003",
            "Effect": "Allow",
            "Action": [
                "sqs:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924989002",
            "Effect": "Allow",
            "Action": [
                "iam:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1481924989001",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1487169681000",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1487169681009",
            "Effect": "Allow",
            "Action": [
                "lambda:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

I need a policy in which all services (174 services)with only Read/List access.

Was this page helpful?
0 / 5 - 0 ratings