undefined | Better HN

0 pointsanother_devy3y ago0 comments

Intriguing, can you share details or overview why it failed for you. Will be kind of gotchas for me

0 comments

p_l3y ago

Essentially there's a maximum size of IAM policy, which AFAIK is not documented properly anywhere - get close to it or exceed it and you start getting random failures everywhere.

donavanm3y ago

Character limits & the number of applied policies are all publicly documented https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_i.... Im not aware of any evaluation complexity limits and have never run in to that sort of problem in my ~10 years of dealing with IAM.

I expect you ran in to this sharp bit "You can add as many inline policies as you want to an IAM user, role, or group. But the total aggregate policy size (the sum size of all inline policies) per entity cannot exceed the following limits." Calculating the sum would be a pain as a user.

p_l3y ago

We didn't use inline policies much, but we had many policies linked across different objects, and the error message never pointed properly and we somehow didn't stumble upon the docs you mention (that's going into my notes :D).

I no longer work on that project, but it was considerable blocker when I was leaving as Sagemaker notebooks started randomly failing to start depending on role they were launched with.

manv13y ago

Yeah, I can see that happening. There are combinations of roles etc that might hit the limit.

Do you remember what was failing? That would give some insight into how these get evaluated.

I know that S3 does evaluation differently than the other services, which gave me some insight into the process. Unfortunately I forgot what the insight was (doh).

p_l3y ago

The service that hit it was Sagemaker Notebooks, or specifically underlying EC2 instance (which you normally don't see as customer, afaik) - it failed trying to attach a network interface to the instance, because of IAM failure mentioning something rhyming with blown stack (been over a year since, so I don't recall details)

j / k navigate · click thread line to collapse

0 comments

p_l3y ago

Essentially there's a maximum size of IAM policy, which AFAIK is not documented properly anywhere - get close to it or exceed it and you start getting random failures everywhere.

donavanm3y ago

p_l3y ago

I no longer work on that project, but it was considerable blocker when I was leaving as Sagemaker notebooks started randomly failing to start depending on role they were launched with.

manv13y ago

Yeah, I can see that happening. There are combinations of roles etc that might hit the limit.

Do you remember what was failing? That would give some insight into how these get evaluated.

I know that S3 does evaluation differently than the other services, which gave me some insight into the process. Unfortunately I forgot what the insight was (doh).

p_l3y ago

j / k navigate · click thread line to collapse