How do I resolve the "PackedPolicyTooLarge" error when I assume an IAM role through AWS STS?

Short description

When you assume an IAM role through AWS STS, you might receive a "PackedPolicyTooLarge" error message with one of the following details:

• Packed size of session tags consumes n% of allotted space.

• Packed policy consumes n% of allotted space, please use smaller policy.

  Note: The variable n represents the percentage of used space in the PackedPolicySize limit.

STS lets you pass in the following types of parameters when you assume the IAM role:

• Inline session policies
• Managed policy Amazon Resource Names (ARNs)
• Session tags

STS stores the data related to the session tags, inline policies, and managed policy ARNs within the AWS session token. All this data counts towards the PackedPolicySize limit.

Note: Customer managed policies must be in the same AWS account as the IAM role that you're assuming.

When you pass session tags, inline session policies, and managed policy ARNs are passed, you increase the size of a session token. However, there's a finite token size limit that applies, regardless of the number of session tag and session policy quotas that are used. The "PackedPolicyTooLarge" error occurs because the finite limit was exceeded.

Inline session policies and session tags are serialized and compressed in the session token. As a result, you might not be able to easily determine how much of the PackedPolicySize is used before the AssumeRole API call to STS is made.

Note: The AWS CloudTrail logs for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity show the PackedPolicySize. Also, as part of the response, the AWS API returns the percentage of the PackedPolicySize that's used in the request.

Resolution

Reduce the length of the inline session policy or session tags (keys and values) that you pass in to STS when you assume a role. The following sections provide ways to limit the data for session tags and inline session policies.

Session tags

• Abbreviate or shorten the session tag keys or values. Session tags are normally used for attribute-based access control (ABAC). To make effective use of your policy space for ABAC, put into session tags only the information that's required to authorize decisions.
• For session tags for non-ABAC purposes, such as audit information, replace the records in session tags with references to an external system of record.
• Use a consistent case, such as lower case, for all tag keys and values. Session tokens store compressed tag keys and values, and compression algorithms work best when you use a consistent character case.
• If you place identity information inside session tags, then it's a best practice to move it into SourceIdentity that has a separate quota.

Inline session policies

• Remove statement ID (Sid) elements from session policies. Sid is an optional element in session policy statements.
• Where appropriate, use wildcard characters to shorten IAM actions and resource ARNs.
• Pass in managed policy ARNs instead of a policy document. The managed policy ARN is a reference to a policy, and this action takes up less space inside the token. You can pass both managed policies and a session policy.
• To create policies that grant only conditional access, use session tags with managed policies or inline policies that are attached to the role.

Related information

How can I resolve the AWS STS AssumeRoleWithWebIdentity API call error "InvalidIdentityToken"?

How can I troubleshoot the AWS STS error "the security token included in the request is expired" when using the AWS CLI to assume an IAM role?

How can I resolve API throttling or "Rate exceeded" errors for IAM and AWS STS?