Este contenido no está disponible en el idioma seleccionado

Trabajamos constantemente para que el contenido esté disponible en el idioma seleccionado. Gracias por tu paciencia.

How do I resolve the error "The final policy size is bigger than the limit" from Lambda?

4 minutos de lectura

When I set a trigger to invoke my AWS Lambda function, I get the error "The final policy size is bigger than the limit". How do I resolve the error?

Short description

If your Lambda function's resource-based policy is over 20 KB, then Lambda returns a The final policy size is bigger than the limit error.

The error can occur when you add policy statements to your function's resource-based policy by doing either of the following:

Manually using the add-permission AWS Command Line Interface (AWS CLI) command.
Creating resources for other AWS services that need permission to access your function.

To resolve the error, reduce your function's policy's size by removing repetitive policy statements and replacing them with consolidated statements that use wildcards (*). For more information, see Lambda quotas and Cleaning up resource-based policies.

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

Review your function's resource-based policies

Note: For the following commands, replace my-function with your function's name or Amazon Resource Name (ARN).

1. Run the following get-policy AWS CLI command to find and review your Lambda function's resource-based policy:

$ aws lambda get-policy --function-name my-function

Note: You can also use the command line JSON processor, jq, in the get-policy command to write advanced queries. For information on how to download and install jq, see Download jq on the jq website on GitHub.

Example get-policy command that uses jq to format a Lambda function's policy as a JSON file

$ aws lambda get-policy --function-name my-function | jq '.Policy|fromjson'

Example get-policy command that uses jq to find the size of a Lambda function's policy

$ aws lambda get-policy --function-name my-function | jq -r '.Policy' | wc -c

Example get-policy command that uses jq to find the statement ID (Sid) of certain policy statements

Replace events.amazonaws.com with the AWS service that invokes your function.

$ aws lambda get-policy --function-name my-function | jq '.Policy 
| fromjson 
| .Statement[] 
| select(.Principal.Service=="events.amazonaws.com") 
| .Sid'

Example get-policy command that uses jq to get the Sid of resources whose names start with the same string

Replace arn:aws:events:region:account-id:rule/test- with a string shared by the ARNs of resources across multiple, repetitive policy statements.

$ aws lambda get-policy --function-name my-function | jq '.Policy
| fromjson
| .Statement[] 
| select(.Condition.ArnLike."AWS:SourceArn" | startswith("arn:aws:events:region:account-id:rule/test-")) 
| .Sid'

2. In the resource-based policy, identify policy statements that you can replace with a wildcard. Note the Sid of each policy statement.

Remove repetitive policy statements

Run the following remove-permission AWS CLI command to remove each repetitive policy statement. Replace my-function with your function's name or ARN. Replace sid with the Sid of the policy statement that you want to remove.

$ aws lambda remove-permission --function-name my-function --statement-id sid

Add policy statements that use a wildcard (*)

Run the following add-permission AWS CLI command to add new, consolidated policy statements that include a wildcard (*), Replace my-function with your function's name or ARN. Replace sid with a new Sid of any value. Replace events.amazonaws.com with the AWS service or account principal that invokes your function. Replace arn:aws:events:region:account-id:rule/test-* with an ARN string (plus a wildcard) shared by the resources that you're granting permissions to.

$ aws lambda add-permission --function-name my-function \
--statement-id 'sid' \
--action 'lambda:InvokeFunction' \
--principal 'events.amazonaws.com' \
--source-arn 'arn:aws:events:region:account-id:rule/test-*'

Note: Triggers with wildcards in the resource-based policy might not be visible in the Lambda console. For more information, see Event-driven invocation.

For more information, see Granting function access to AWS services.