Versions Compared

Old Version 4

changes.mady.by.user Jana Lehmann [Utoolity]

Saved on

compared with

New Version 5

changes.mady.by.user Jana Lehmann [Utoolity]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You are encountering a Federation Error due to a PackedPolicyTooLargeException:

(minus)

...

 Federation Error

com.amazonaws.services.securitytoken.model.PackedPolicyTooLargeException: Packed policy consumes 103% of allotted space, please use smaller policy. (Service: AWSSecurityTokenService; Status Code: 400; Error Code: PackedPolicyTooLarge; Request ID: c60371ab-222b-11e4-96ea-8d3d7cd69578)

Solution

There are Limitations on IAM Entities including policy sizes, and those add up on the AWS side of things:

You can add as many policies as you want to a user, role, or group, but the total aggregate policy size (the sum size of all policies) per entity cannot exceed the following limits:

User policy size cannot exceed 2,048 characters

Role policy size cannot exceed 10,240 characters

Group policy size cannot exceed 5,120 characters

Note
IAM does not count whitespace when calculating the size of a policy against these limitations.

The AWS team's response to a resp. question in the IAM forum advises as follows:

There are two restrictions on the size of a policy that gets passed to STS. First is the length of the policy string that you pass to the API, which is 2048. Second is the size of the "packed" policy after optimized for space by the service. Currently AWS doesn't specify exactly how this is determined, so the API returns a "PackedPolicySize" value, which is a percentage indicating how close to 100% your policy is. As this value gets close to 100%, small changes to the policy may cause STS to reject your policy.

Because of this, it's important to use fairly small policies when calling STS.

There are two primary strategies for limiting the size of policies you use with STS:

Associate as much policy logic as possible with the underlying IAM user who calls STS

Use wildcard characters ('*' and '?') to limit duplication


For example, you could replace the following list

Code Block

...

languagejs
["arn:aws:s3:::bucket/u/xxxxxxsdkjghskjghsjf/My Files", 
"arn:aws:s3:::bucket/u/xxxxxxsdkjghskjghsjf/My Files/*", 
"arn:aws:s3:::bucket2/meta001/data/u/xxxxxxsdkjghskjghsjf/My Files*", 
"arn:aws:s3:::bucket2/meta001/info/u/xxxxxxsdkjghskjghsjf/My Files*"]

...

with the string
 Code Block
...
languagejs
"arn:aws:s3:::*/xxxxxxsdkjghskjghsjf/My Files*"
If you were worried about access to files in other buckets, you could restrict the policy for the underlying IAM user only to buckets (see the IAM User Guide for details on the policy evaluation semantics):
 Code Block
...
...
["arn:aws:s3:::bucket/u/*", "arn:aws:s3:::bucket2/meta001/"]
Related articles
 Filter by label (Content by label)
showLabelsfalse
max5
spacesUAAKB
sortmodified
showSpacefalse
...
reversetrue
typepage
cqllabel in ( "identity-federation-for-aws" , "iam" , "policy" ) and type = "page" and space = "UAAKB"
labelsIAM identity-federation-for-aws policy
 Page Properties
hiddentrue

Related issues