- Newest
- Most votes
- Most comments
Hi,
Generally, the "PackedPolicyTooLarge" error is returned when the size of session policies, session Tags and/or User info (such as a username passed via a NameID claim) is too large to fit the encoded session token blob. However, kindly note that the policy character limit is not the only criteria that returns this exception.
There are mainly two restrictions on the limit of a policy where gets passed to STS. The first is, as mentioned, the length of the policy. You can receive this error even though you meet other defined session policy and session tag limits [1].
In addition to this limit, there is another type called “PackedPolicySize”, which is a percentage value that indicates the size of the policy in packed form. With this said, please note that the service rejects any policy with a packed size greater than 100 percent, which means the policy exceeded the allowed space. As this value gets close to 100%, small changes to the policy may cause STS to reject your policy. For more information regarding the same, kindly refer to the following documentation [2].
Note: An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
References:
[1] PackedPolicyTooLarge - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html#API_AssumeRole_Errors
[2] PackedPolicyLimit - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html
We've since added a dedicated support doc for PackedPolicyTooLarge: https://repost.aws/knowledge-center/iam-role-aws-sts-error
Take a look.
Relevant content
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
Does PackedPolicySize limit differ from one account to the other? Is this something you can request AWS to increase? In our tests what we are finding is that the request to STS works for one account and the exact same request (with exactly the same policy) does not work in another aws account? What could be causing this discrepancy?
It isn't set by account and is not a quota that can be adjusted. Whitespaces are characters used in the total calculation and to make sure that in all environments you're trying to assume the role from that all unnecessary whitespaces (tabs, new lines, spaces) are removed from the policy document. You can easily see whitespace charecters in cloudtrail logs for assumerole calls where a session policy was passed in.
If you have support plan it would be valuable to to engage support here and have them assist you in comparing the different cloud trail logs from your AssumeRole calls.