How can I avoid getting a PackedPolicyTooLarge error when I assume an IAM role via AWS STS?

Short description

You might receive a PackedPolicyTooLarge error message with one of the following details when you assume an IAM role through STS:

• Packed size of session tags consumes n% of allotted space.
• Packed policy consumes n% of allotted space, please use smaller policy.
  Note: n represents the percentage of the PackedPolicySize used.

STS lets you pass in the following types of session tags:

• Inline session policies
• Managed policy Amazon Resource Names (ARNs)
• Customer managed policy ARNs when you assume an IAM role.

STS stores the data relating to the tags, policies, and ARNs within the AWS session token. All this data counts towards the PackedPolicySize limit.

Note: Customer managed policies must be in the same AWS account as the IAM role that you are assuming.

When set, session tags, inline session policies, and managed policy ARNs increase the size of an AWS session token. However, there's a finite token size limit that applies, regardless of the number of session tag and session policy quotas being used. Exceeding the finite limit generates an error.

Inline session policies and session tags are serialized and compressed in the session tag. This makes it difficult to determine how much of the PackedPolicySize gets used before making an AssumeRole call to STS.

Note: The AWS CloudTrail logs for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity show the PackedPolicySize. Also, the AWS API returns the percentage of the PackedPolicySize used in the request as part of the response.

Resolution

Reduce the length of the inline session policy or session tags (keys and values) that are passed in to STS when you assume a role. The following sections provide ways to limit the data for session tags and inline session policies.

Session tags

• Abbreviate or shorten the session tag keys or values. Session tags are normally used for attribute-based access control (ABAC). To make effective use of your policy space for ABAC, put into session tags only the information that's required to authorize decisions.
• If using session tags for non-ABAC purposes, such as audit information, replace the records in session tags with references to an external system of record.
• Use a consistent case, for example, lower case, for all tag keys and values. AWS session tokens store compressed tag keys and values, and compression algorithms work best when you use a consistent character case.
• If you're placing identity information inside of session tags, consider moving it into SourceIdentity that has a separate quota.

Inline session policies

• Remove statement ID (Sid) elements from session policies. Sid's an optional element in session policy statements.
• Use wildcard characters to shorten IAM actions and resource ARNs, where appropriate.
• Pass in managed policy ARNs instead of a policy document. The managed policy ARN is just a reference to a policy and takes up less space inside the token. You can pass both managed policies and a session policy.
• Use session tags with managed policies or inline policies attached to the role to create policies that only grant access conditionally, based on session tags.