By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

PackedPolicSize limit varies from one AWS account to the other

0

We have flows where we get make a call to STS GetFederatedToken APIs , pass a json session policy doc constraining access to S3 bucket for whoever uses the token or presigned url based off the token. We realize the policy size limit is 2048 characters. However, with one AWS account we are finding that the limit is 1024 characters. AWS doc says the limit is 2048 characters . Why this discrepancy? Error seen : Packed policy consumes 100% of allotted space, please use smaller policy. (Service: AWSSecurityTokenService; Status Code: 400; Error Code: PackedPolicyTooLarge; Request ID: cc5bc934-aab3-4783-b68b-33295aa7cdea; Proxy: null)

Topics
Storage
Tags
presigned URL
Language
English
rePost-User-6806004
asked 2 years ago1143 views
2 Answers
0

Hi,

Generally, the "PackedPolicyTooLarge" error is returned when the size of session policies, session Tags and/or User info (such as a username passed via a NameID claim) is too large to fit the encoded session token blob. However, kindly note that the policy character limit is not the only criteria that returns this exception.

There are mainly two restrictions on the limit of a policy where gets passed to STS. The first is, as mentioned, the length of the policy. You can receive this error even though you meet other defined session policy and session tag limits [1].

In addition to this limit, there is another type called “PackedPolicySize”, which is a percentage value that indicates the size of the policy in packed form. With this said, please note that the service rejects any policy with a packed size greater than 100 percent, which means the policy exceeded the allowed space. As this value gets close to 100%, small changes to the policy may cause STS to reject your policy. For more information regarding the same, kindly refer to the following documentation [2].

Note: An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.

References:

[1] PackedPolicyTooLarge - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_Errors

[2] PackedPolicyLimit - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html

AWS
rePost-User-0230995
answered 2 years ago
  • rePost-User-6806004
    2 years ago

    Does PackedPolicySize limit differ from one account to the other? Is this something you can request AWS to increase? In our tests what we are finding is that the request to STS works for one account and the exact same request (with exactly the same policy) does not work in another aws account? What could be causing this discrepancy?

  • LWfromAWS
    a year ago

    It isn't set by account and is not a quota that can be adjusted. Whitespaces are characters used in the total calculation and to make sure that in all environments you're trying to assume the role from that all unnecessary whitespaces (tabs, new lines, spaces) are removed from the policy document. You can easily see whitespace charecters in cloudtrail logs for assumerole calls where a session policy was passed in.

    If you have support plan it would be valuable to to engage support here and have them assist you in comparing the different cloud trail logs from your AssumeRole calls.

0

We've since added a dedicated support doc for PackedPolicyTooLarge: https://repost.aws/knowledge-center/iam-role-aws-sts-error

Take a look.

AWS
LWfromAWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content