- Newest
- Most votes
- Most comments
Hi,
AFAIK, IAM is a global service, whose objects are valid for all regions. As a consequence, region name is not part of the ARN.
But, as you say, the quota is global. So, if you multiply roles that are strictly identical in credentials but different in name, you will certainly reach the hard limit rapidly.
So, you should create roles only based on different credentials they grant and avoid creating multiple roles granting same credentials.
What are getting some many roles: is it in the way that CDK is used?
The optimal way to use CDK in this situation is to create the role 100% independently from the Lambdas (i.e. before them) and then trust the lambdas for the existing roles when they get created,
This reduced number of roles will also improve the management of your security: less objects and clear view on Lambdas with same auts.
Going this way should not create to much work: it will just change require create a mapping function between the roles and the lambdas.
Note: IAM global objects replicate asynchronously across regions. So, you may want to split your current CDK in distinct projets for the roles and for the lambdas. Then, you should deploy roles once from a central region and give them time to propagate before you deploy lambdas in each region.
Best,
Didier
Relevant content
- asked 7 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago