serverless-policy-reducer-for-aws-roles
Fixes "EnterpriseLogAccessIamRole - Maximum policy size of 10240 bytes exceeded" error
This plugin works by modifying the Cloudformation stack before packinging.
It searches for the EnterpriseLogAccessIamRole
resource and modifies the only policy attached to this role.
Install
$ npm i policy-reducer-for-aws-enterprise-logaccess-role
Usage
In your serverless.yml
file:
plugins:
- policy-reducer-for-aws-enterprise-logaccess-role
Explanation
By default, Serverless framework creates role like:
{
Effect: "Allow",
Action: ["logs:FilterLogEvents"],
Resource: [
"arn:aws:logs:us-east-1:854451547444:log-group:/aws/lambda/your-lambda-function-1:*",
"arn:aws:logs:us-east-1:854451547444:log-group:/aws/lambda/your-lambda-function-2:*",
"arn:aws:logs:us-east-1:854451547444:log-group:/aws/lambda/your-lambda-function-3:*",
"arn:aws:logs:us-east-1:854451547444:log-group:/aws/lambda/your-lambda-function-4:*",
"arn:aws:logs:us-east-1:854451547444:log-group:/aws/lambda/your-lambda-function-5:*",
"arn:aws:logs:us-east-1:854451547444:log-group:/aws/lambda/your-lambda-function-6:*",
// multiple lambda
],
}
When you reach a olicy size of 10240 bytes , deployment will fail as limit got exceeded.
This plugin will replace all lambda arn with *:
{
Effect: "Allow",
Action: ["logs:FilterLogEvents"],
Resource: ["*"],
}