How do I resolve the Lambda error "The final policy size is bigger than the limit"?

Last updated: 2020-04-14

When I set a trigger to invoke my AWS Lambda function, I get the error "The final policy size is bigger than the limit". How do I resolve the error?

Short Description

This error can occur when you attempt to add policy statements to your Lambda function's resource-based policy. If the added policy statements put the policy over the maximum policy size of 20 KB, the error occurs and the statements aren't added. This can happen when you're manually using the add-permission command, or when creating resources for other services that need permissions to access your function.

Reduce the policy's size by removing repetitive policy statements and replacing them with consolidated statements that use a wildcard (*).

For more information, see AWS Lambda Limits and Cleaning Up Resource-Based Policies.

Resolution

Review your function's resource-based policies

Note: In the following commands, replace my-function with your function's name or Amazon Resource Name (ARN).

1.    Use the get-policy command from the AWS Command Line Interface (AWS CLI) to get and review your Lambda function's resource-based policy:

$ aws lambda get-policy --function-name my-function

You can also use the command line JSON processor jq in the get-policy command to write advanced queries.

Note: For instructions to download and install jq, see Download jq on the jq website on GitHub.

For example, you can use jq to format the policy:

$ aws lambda get-policy --function-name my-function | jq '.Policy|fromjson'

To view the size of the policy:

$ aws lambda get-policy --function-name my-function | jq -r '.Policy' | wc -c

Note: If the value in the output of this command is close to 20480 (20 KB), the size error can occur when you attempt to add more policy statements.

To get the statement ID (Sid) of certain policy statements:

$ aws lambda get-policy --function-name my-function | jq '.Policy 
| fromjson 
| .Statement[] 
| select(.Principal.Service=="events.amazonaws.com") 
| .Sid'

Note: Replace events.amazonaws.com with the AWS service that invokes your function.

Or to get the Sids of resources whose names start with the same string:

$ aws lambda get-policy --function-name my-function | jq '.Policy
| fromjson
| .Statement[] 
| select(.Condition.ArnLike."AWS:SourceArn" | startswith("arn:aws:events:region:account-id:rule/test-")) 
| .Sid'

Note: Replace arn:aws:events:region:account-id:rule/test- with a string shared by the ARNs of resources across multiple, repetitive policy statements.

2.    In the resource-based policy, identify policy statements that you can replace with a wildcard. Note the Sid of each of these policy statements.

Remove policy statements

Use the remove-permission command to remove each policy statement that you noted in the previous step:

$ aws lambda remove-permission --function-name my-function --statement-id sid

Note: Replace my-function with your function's name or ARN. Replace sid with the Sid of a policy statement.

Add policy statements that use a wildcard

Use the add-permission command to add new, consolidated policy statements that include a wildcard (*). For example:

$ aws lambda add-permission --function-name my-function \
--statement-id sid \
--action 'lambda:InvokeFunction' \
--principal 'events.amazonaws.com' \
--source-arn 'arn:aws:events:region:account-id:rule/test-*'

Note: Replace my-function with your function's name or ARN. Replace sid with a new Sid of any value. Replace events.amazonaws.com with the AWS service or account principal that invokes your function. Replace arn:aws:events:region:account-id:rule/test-* with an ARN string (plus a wildcard) shared by the resources that you're granting permissions.

For more example commands and information, see Granting Function Access to AWS Services.