AWS Role creation via Cloudformation error with LimitExceeded-CodePudding

I am trying to build a CodeBuild template in Cloudformation. I need to add a role to allow it to perform the need action. I create the following role (rules found thanks to the AWS documentation):

 "CodeBuildServiceRole": {
        "Type": "AWS::IAM::Role",
        "Properties": {
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Action": [
                            "codebuild:*",
                            "codecommit:GetBranch",
                            "codecommit:GetCommit",
                            "codecommit:GetRepository",
                            "codecommit:ListBranches",
                            "codecommit:ListRepositories",
                            "cloudwatch:GetMetricStatistics",
                            "ec2:DescribeVpcs",
                            "ec2:DescribeSecurityGroups",
                            "ec2:DescribeSubnets",
                            "ecr:DescribeRepositories",
                            "ecr:ListImages",
                            "elasticfilesystem:DescribeFileSystems",
                            "events:DeleteRule",
                            "events:DescribeRule",
                            "events:DisableRule",
                            "events:EnableRule",
                            "events:ListTargetsByRule",
                            "events:ListRuleNamesByTarget",
                            "events:PutRule",
                            "events:PutTargets",
                            "events:RemoveTargets",
                            "logs:GetLogEvents",
                            "s3:GetBucketLocation",
                            "s3:ListAllMyBuckets"
                        ],
                        "Effect": "Allow",
                        "Resource": "*"
                    },
                    {
                        "Action": [
                            "logs:DeleteLogGroup"
                        ],
                        "Effect": "Allow",
                        "Resource": "arn:aws:logs:*:*:log-group:/aws/codebuild/*:log-stream:*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "ssm:PutParameter"
                        ],
                        "Resource": "arn:aws:ssm:*:*:parameter/CodeBuild/*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "ssm:StartSession"
                        ],
                        "Resource": "arn:aws:ecs:*:*:task/*/*"
                    }, ....
                ]
            }
        }

(Note that StackOverflow does not allow me to put the whole role here there are actually 7 other statement with 3 or 4 actions)

But when running the CF stack, I am getting the following error:

Cannot exceed quota for ACLSizePerRole: 2048 (Service: AmazonIdentityManagement; Status Code: 409; Error Code: LimitExceeded;

What am I doing wrong here?

CodePudding user response：

Your policy is in the wrong place. You are trying to specify all this stuff as part of the AssumeRolePolicyDocument which is the place to store the configuration who is allowed to assume the role, not the place to store what the role is allowed to do.

To specify what the role is allowed to do use dedicated policies, and then specify them e.g. within the Policies property. Note that such policies also have length restrictions. You can work around that by splitting one large policy into multiple policies, but there is a limit on the number of policies as well. At some point you would need to reconsider how you are granting permissions and would need to optimize your statements.