By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Amplify Gen2 Sandbox creates roles for each Lambda function. How can I set it up to use common roles for all Lambda functions?

0

How can I add predefined IAM roles for multiple Lambdas?

I am encountering the following error:

error: LimitExceeded: Cannot exceed quota for RolesPerAccount: 1000 at Request.extractError (/root/.serverless/components/registry/npm/@sls-next/serverless-component@3.5.3/node_modules/aws-sdk/lib/protocol/query.js:50:29) at Request.callListeners (/root/.serverless/components/registry/npm/@sls-next/serverless-component@3.5.3/node_modules/aws-sdk/lib/sequential_executor.js:106:20) at Request.emit (/root/.serverless/components/registry/npm/@sls-next/serverless-component@3.5.3/node_modules/aws-sdk/lib/sequential_executor.js:78:10) at Request.emit (/root/.serverless/components/registry/npm/@sls-next/serverless-component@3.5.3/node_modules/aws-sdk/lib/request.js:688:14) at Request.transition (/root/.serverless/components/registry/npm/@sls-next/serverless-component@3.5.3/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo (/root/.serverless/components/registry/npm/@sls-next/serverless-component@3.5.3/node_modules/aws-sdk/lib/state_machine.js:14:12) at /root/.serverless/components/registry/npm/@sls-next/serverless-component@3.5.3/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request.<anonymous> (/root/.serverless/components/registry/npm/@sls-next/serverless-component@3.5.3/node_modules/aws-sdk/lib/request.js:38:9) at Request.<anonymous> (/root/.serverless/components/registry/npm/@sls-next/serverless-component@3.5.3/node_modules/aws-sdk/lib/request.js:690:12) at Request.callListeners (/root/.serverless/components/registry/npm/@sls-next/serverless-component@3.5.3/node_modules/aws-sdk/lib/sequential_executor.js:116:18) { code: 'LimitExceeded', time: 2021-12-24T16:45:53.066Z, requestId: '6aab5cc3-3bae-405b-bc75-f98214f33664', statusCode: 409, retryable: false, retryDelay: 22.3930525852321 }

1 Answer
0

In AWS Amplify Gen 2, there isn't a direct way to use common roles for all Lambda functions or add predefined IAM roles for multiple Lambdas. Amplify Gen 2 typically creates individual roles for each Lambda function to adhere to the principle of least privilege.

However, to address the issue of reaching the IAM role limit (1000 roles per account), you can implement a permissions boundary. A permissions boundary is an IAM policy that sets the maximum permissions that can be granted to IAM roles created by Amplify. This approach allows you to control the permissions across multiple Lambda functions without creating individual roles for each.

To set up a permissions boundary:

  1. Create an IAM Policy outside of Amplify to use as a permissions boundary. This is usually part of an AWS Organization rule or corporate governance requirement.

  2. Once you have the IAM Policy ARN for the permissions boundary, use the cdk bootstrap command with the --custom-permissions-boundary flag to apply it to your AWS environment.

  3. This permissions boundary will then apply to all IAM roles created by Amplify, including Lambda execution roles, auth roles, unauth roles, and custom resource stack roles.

By using a permissions boundary, you can effectively manage permissions across multiple Lambda functions without creating individual roles for each, which should help address the "LimitExceeded: Cannot exceed quota for RolesPerAccount: 1000" error you're encountering.

Remember that while this approach doesn't directly create common roles for all Lambda functions, it does provide a way to set consistent maximum permissions across all Amplify-generated roles, which can help manage your IAM resources more effectively.

Sources
IAM Permissions Boundary - React - AWS Amplify Gen 2 Documentation

profile picture
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions