Qiita Engineer Festa20242024年7月17日まで開催中！

AWS "Cannot exceed quota for PolicySize: 6144"と怒られる

Posted at 2024-07-10

起きたこと

CloudFormationを用いてIAM Policyを定義していた。
CodeCommitにソースコードをpushし、mergeしたところでbuild実行時にCannot exceed quota for PolicySize: 6144と怒られてしまった。

解決方法

1つのポリシーにて細かく複数のサービスに対して権限を記載していたため、それぞれ別のポリシーとして定義すればよい。

例

AllInOnePolicy.yml

Resources:
  CostDashboardAdminPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: 'cost-dashboard-admin-policy'
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: DirectoryService
          Effect: Allow
          Action:
          - ds:AuthorizeApplication
          - ds:CreateAlias
          - ds:CreateIdentityPoolDirectory
          - ds:DeleteDirectory
          - ds:UnauthorizeApplication
          Resource: '*' # as per doc https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html#security_iam_id-based-policy-examples-all-access-enterprise-edition

        - Sid: IAM
          Action:
          - iam:AttachRolePolicy
          - iam:CreatePolicy
          - iam:CreatePolicyVersion
          - iam:CreateRole
          - iam:PassRole
          - iam:DeletePolicyVersion
          - iam:DetachRolePolicy
          Effect: Allow
          Resource:
            - !Sub arn:aws:iam::${AWS::AccountId}:role/service-role/aws-quicksight-service-role-v0

        - Sid: S3
          Action:
          - s3:ListBucket
          - s3:GetObject
          - s3:GetObjectVersion
          - s3:PutObject
          - s3:ListBucketMultipartUploads
          - s3:GetBucketLocation
          - s3:AbortMultipartUpload
          - s3:ListMultipartUploadParts
          Effect: Allow
          Resource:
          - !Sub arn:aws:s3:::cid-${AWS::AccountId}-shared
          - !Sub arn:aws:s3:::aws-athena-query-results-cid-${AWS::AccountId}-${AWS::Region}
          - !Sub arn:aws:s3:::athena-query-result-${AWS::AccountId}

          # etc...

このように書くと長くなってしまうため、下記のように分割すればよい。

DerectoryServicePolicy.yml

Resources:
  DerectoryServicePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: 'derectory-service-policy'
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: DirectoryService
          Effect: Allow
          Action:
          - ds:AuthorizeApplication
          - ds:CreateAlias
          - ds:CreateIdentityPoolDirectory
          - ds:DeleteDirectory
          - ds:UnauthorizeApplication
          Resource: '*' # as per doc https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html#security_iam_id-based-policy-examples-all-access-enterprise-edition

CreateCidServiceRolePolicy.yml

  CreateCidServiceRolePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: 'create-cid-service-role-policy'
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: IAM
          Action:
          - iam:AttachRolePolicy
          - iam:CreatePolicy
          - iam:CreatePolicyVersion
          - iam:CreateRole
          - iam:PassRole
          - iam:DeletePolicyVersion
          - iam:DetachRolePolicy
          Effect: Allow
          Resource:
            - !Sub arn:aws:iam::${AWS::AccountId}:role/service-role/aws-quicksight-service-role-v0

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up