How can I resolve the IAM error "Maximum policy size of xxxxx bytes exceeded for the user or role."
Last updated: 2022-09-23
I received an AWS Identity and Access Management (IAM) error message similar to the following:
"Maximum policy size of xxxxx bytes exceeded for the user or role."
How can I increase the default managed policy or character size limit for an IAM role or user?
The maximum limit for attaching a managed policy to an IAM role or user is 20. The maximum character size limit for managed policies is 6,144. For more information, see IAM object quotas and IAM and AWS STS quotas name requirements, and character limits.
Note: The default limit for managed policies is 10. To increase the default limit from 10 to up to 20, you must submit a request for a service quota increase.
If you reached the managed policy or character size limit for an IAM group, user, role, or policy, then use these workarounds, depending on your scenario.
Create another IAM group. You can have up to 300 IAM groups per account. Attach the managed policy to the IAM user instead of the IAM group. You can attach up to 20 managed policies to IAM roles and users.
Create more IAM groups and attach the managed policy to the group. You can assign IAM users to up to 10 groups. You can also attach up to 10 managed policies to each group, for a maximum of 120 policies (20 managed policies attached to the IAM user, 10 IAM groups, with 10 policies each).
Combine managed policies
Combine multiple managed policies into a single policy. You can add up to 6,144 characters per managed policy.
Reduce the character size of the managed policies
Remove duplicate permissions by combining all actions with the same Effect. Combine resource and condition statements. Remove unnecessary statements such as Sid. Use wildcards (*) for actions with the same suffix or prefix.
Use inline policies instead of managed policies
You can use as many inline policies as you want, but the aggregate policy size can't exceed the character quotas. The inline policy character limits are 2,048 for users, 10,240 for roles, and 5,120 for groups.
Important: It's a best practice to use customer managed policies instead of inline policies.