Reputation: 1075
How long does AWS IAM's principle identifiers can be set and how to do if it exceeds the limitation?
If set an AWS IAM policy document as
data "aws_iam_policy_document" "example" {
statement {
effect = "Allow"
actions = [
"codeartifact:CreateRepository",
]
resources = [
"${aws_codeartifact_domain.example.arn}",
]
principals {
identifiers = [
"arn:aws:iam::1234567890:role/xxx-1",
"arn:aws:iam::1234567890:role/xxx-2",
"arn:aws:iam::1234567890:role/xxx-3",
"arn:aws:iam::1234567890:role/xxx-4",
# ... until 100 or 1000 or 10000 ...
]
}
}
}
How many identifiers can be set here? if it exceeds the limitation, how to do?
Another question, is it possible to use * after arn:aws:iam::1234567890:role/?
Upvotes: 0
Views: 569
Answers (1)
Reputation: 1722
As far as I know (and the official documentation tells us) you can continue to add as many principals as you want, as long as your policy stays under the IAM Policy limit size, which varies depending on what you attach it to:
- User policy size cannot exceed 2,048 characters.
- Role policy size cannot exceed 10,240 characters.
- Group policy size cannot exceed 5,120 characters.
Unfortunately this means that the answer to your question is "it depends" on how much other stuff you have in your policy (i.e. resources and actions).
To get around this limit you'd have to split the principals in to multiple policies, and attach them. Then you need to worry about the number of policies that can be attached to an entity, and the number of policies you can have in an account (refer to the quota page linked above).
Upvotes: 1
Related Questions
- Organizing AWS IAM permissions: limit of 10 policies?
- AWS IAM users limit if exceeds
- What is the max number of permissions I can assign to a custom policy on AWS?
- How to rename an AWS customer IAM policy?
- AWS EC2 IAM policy by default
- IAM policy variables
- AWS IAM: Is this a Resource or Identity based policy?
- AWS IAM policy issues
- Understanding IAM policies
- AWS IAM policy for SQS