Prevent Federation Error due to PackedPolicyTooLargeException

Problem

You are encountering a Federation Error due to a PackedPolicyTooLargeException:

 Federation Error

com.amazonaws.services.securitytoken.model.PackedPolicyTooLargeException: Packed policy consumes 103% of allotted space, please use smaller policy. (Service: AWSSecurityTokenService; Status Code: 400; Error Code: PackedPolicyTooLarge; Request ID: c60371ab-222b-11e4-96ea-8d3d7cd69578)

Solution

There are Limitations on IAM Entities including policy sizes, and those add up on the AWS side of things:

You can add as many policies as you want to a user, role, or group, but the total aggregate policy size (the sum size of all policies) per entity cannot exceed the following limits:

• User policy size cannot exceed 2,048 characters

• Role policy size cannot exceed 10,240 characters

• Group policy size cannot exceed 5,120 characters

IAM does not count whitespace when calculating the size of a policy against these limitations.

The AWS team's response to a resp. question in the IAM forum advises as follows:

There are two restrictions on the size of a policy that gets passed to STS. First is the length of the policy string that you pass to the API, which is 2048. Second is the size of the "packed" policy after optimized for space by the service. Currently AWS doesn't specify exactly how this is determined, so the API returns a "PackedPolicySize" value, which is a percentage indicating how close to 100% your policy is. As this value gets close to 100%, small changes to the policy may cause STS to reject your policy.

Because of this, it's important to use fairly small policies when calling STS.

There are two primary strategies for limiting the size of policies you use with STS:

• Associate as much policy logic as possible with the underlying IAM user who calls STS

• Use wildcard characters ('*' and '?') to limit duplication


For example, you could replace the following list

1 2 3 4 ["arn:aws:s3:::bucket/u/xxxxxxsdkjghskjghsjf/My Files", "arn:aws:s3:::bucket/u/xxxxxxsdkjghskjghsjf/My Files/*", "arn:aws:s3:::bucket2/meta001/data/u/xxxxxxsdkjghskjghsjf/My Files*", "arn:aws:s3:::bucket2/meta001/info/u/xxxxxxsdkjghskjghsjf/My Files*"]

with the string

1 "arn:aws:s3:::*/xxxxxxsdkjghskjghsjf/My Files*"

If you were worried about access to files in other buckets, you could restrict the policy for the underlying IAM user only to buckets (see the IAM User Guide for details on the policy evaluation semantics):

1 ["arn:aws:s3:::bucket/u/*", "arn:aws:s3:::bucket2/meta001/"]

 

Related articles