serverless-policy-reducer-for-aws-roles
Fixes "EnterpriseLogAccessIamRole - Maximum policy size of 10240 bytes exceeded" error
This plugin works by modifying the Cloudformation stack before packinging.
It searches for the EnterpriseLogAccessIamRole resource and modifies the only policy attached to this role.
Install
$ npm i policy-reducer-for-aws-enterprise-logaccess-role
Usage
In your serverless.yml file:
plugins:
- policy-reducer-for-aws-enterprise-logaccess-roleExplanation
By default, Serverless framework creates role like:
{
Effect: "Allow",
Action: ["logs:FilterLogEvents"],
Resource: [
"arn:aws:logs:us-east-1:854451547444:log-group:/aws/lambda/your-lambda-function-1:*",
"arn:aws:logs:us-east-1:854451547444:log-group:/aws/lambda/your-lambda-function-2:*",
"arn:aws:logs:us-east-1:854451547444:log-group:/aws/lambda/your-lambda-function-3:*",
"arn:aws:logs:us-east-1:854451547444:log-group:/aws/lambda/your-lambda-function-4:*",
"arn:aws:logs:us-east-1:854451547444:log-group:/aws/lambda/your-lambda-function-5:*",
"arn:aws:logs:us-east-1:854451547444:log-group:/aws/lambda/your-lambda-function-6:*",
// multiple lambda
],
}When you reach a olicy size of 10240 bytes , deployment will fail as limit got exceeded.
This plugin will replace all lambda arn with *:
{
Effect: "Allow",
Action: ["logs:FilterLogEvents"],
Resource: ["*"],
}