- Newest
- Most votes
- Most comments
In AWS Amplify Gen 2, there isn't a direct way to use common roles for all Lambda functions or add predefined IAM roles for multiple Lambdas. Amplify Gen 2 typically creates individual roles for each Lambda function to adhere to the principle of least privilege.
However, to address the issue of reaching the IAM role limit (1000 roles per account), you can implement a permissions boundary. A permissions boundary is an IAM policy that sets the maximum permissions that can be granted to IAM roles created by Amplify. This approach allows you to control the permissions across multiple Lambda functions without creating individual roles for each.
To set up a permissions boundary:
-
Create an IAM Policy outside of Amplify to use as a permissions boundary. This is usually part of an AWS Organization rule or corporate governance requirement.
-
Once you have the IAM Policy ARN for the permissions boundary, use the
cdk bootstrap
command with the--custom-permissions-boundary
flag to apply it to your AWS environment. -
This permissions boundary will then apply to all IAM roles created by Amplify, including Lambda execution roles, auth roles, unauth roles, and custom resource stack roles.
By using a permissions boundary, you can effectively manage permissions across multiple Lambda functions without creating individual roles for each, which should help address the "LimitExceeded: Cannot exceed quota for RolesPerAccount: 1000" error you're encountering.
Remember that while this approach doesn't directly create common roles for all Lambda functions, it does provide a way to set consistent maximum permissions across all Amplify-generated roles, which can help manage your IAM resources more effectively.
Sources
IAM Permissions Boundary - React - AWS Amplify Gen 2 Documentation
Relevant content
- Accepted Answerasked 3 years ago
- asked a year ago
- asked 3 months ago
- asked a year ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago