How can I avoid getting a PackedPolicyTooLarge error when I assume an IAM role via AWS STS?

Short description

When you assume an IAM role through STS, you might receive a PackedPolicyTooLarge error message with one of the following details:

• Packed size of session tags consumes n% of allotted space.
• Packed policy consumes n% of allotted space, please use smaller policy.
  Note: n represents the percentage of used space in the PackedPolicySize.

STS lets you pass in the following types of session tags:

• Inline session policies
• Managed policy Amazon Resource Names (ARNs)
• Customer managed policy ARNs when you assume an IAM role.

STS stores the data relating to the tags, policies, and ARNs within the AWS session token. All this data counts towards the PackedPolicySize limit.

Note: Customer managed policies must be in the same AWS account as the IAM role that you're assuming.

When set, session tags, inline session policies, and managed policy ARNs increase the size of an AWS session token. However, there's a finite token size limit that applies, regardless of the number of session tag and session policy quotas that are used. Exceeding the finite limit generates an error.

Inline session policies and session tags are serialized and compressed in the session token. This makes it difficult to determine how much of the PackedPolicySize gets used before making an AssumeRole call to STS.

Note: The AWS CloudTrail logs for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity show the PackedPolicySize. Also, as part of the response, the AWS API returns the percentage of the PackedPolicySize that's used in the request.

Resolution

Reduce the length of the inline session policy or session tags (keys and values) that you pass in to STS when you assume a role. The following sections provide ways to limit the data for session tags and inline session policies.

Session tags

• Abbreviate or shorten the session tag keys or values. Session tags are normally used for attribute-based access control (ABAC). To make effective use of your policy space for ABAC, put into session tags only the information that's required to authorize decisions.
• For session tags for non-ABAC purposes, such as audit information, replace the records in session tags with references to an external system of record.
• Use a consistent case, such as lower case, for all tag keys and values. AWS session tokens store compressed tag keys and values, and compression algorithms work best when you use a consistent character case.
• If you place identity information inside of session tags, then it's a best practice to move it into SourceIdentity that has a separate quota.

Inline session policies

• Remove statement ID (Sid) elements from session policies. Sid is an optional element in session policy statements.
• Use wildcard characters to shorten IAM actions and resource ARNs, where appropriate.
• Pass in managed policy ARNs instead of a policy document. The managed policy ARN is just a reference to a policy and takes up less space inside the token. You can pass both managed policies and a session policy.
• To create policies that only grant access conditionally, use session tags with managed policies or inline policies that are attached to the role.