How do I resolve the error "The final policy size is bigger than the limit" from Lambda?

Last updated: 2022-08-16

If your Lambda function's resource-based policy is over 20 KB, then Lambda returns a The final policy size is bigger than the limit error.

The error can occur when you add policy statements to your function's resource-based policy by doing either of the following:

• Manually using the add-permission AWS Command Line Interface (AWS CLI) command.
• Creating resources for other AWS services that need permission to access your function.

To resolve the error, reduce your function's policy's size by removing repetitive policy statements and replacing them with consolidated statements that use wildcards (*). For more information, see Lambda quotas and Cleaning up resource-based policies.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

Note: For the following commands, replace my-function with your function's name or Amazon Resource Name (ARN).

1.    Run the following get-policy AWS CLI command to find and review your Lambda function's resource-based policy:

Note: You can also use the command line JSON processor, jq, in the get-policy command to write advanced queries. For information on how to download and install jq, see Download jq on the jq website on GitHub.

Example get-policy command that uses jq to format a Lambda function's policy as a JSON file

Example get-policy command that uses jq to find the size of a Lambda function's policy

Example get-policy command that uses jq to find the statement ID (Sid) of certain policy statements

Replace events.amazonaws.com with the AWS service that invokes your function.

Example get-policy command that uses jq to get the Sid of resources whose names start with the same string

Replace arn:aws:events:region:account-id:rule/test- with a string shared by the ARNs of resources across multiple, repetitive policy statements.

2.    In the resource-based policy, identify policy statements that you can replace with a wildcard. Note the Sid of each policy statement.

Run the following remove-permission AWS CLI command to remove each repetitive policy statement. Replace my-function with your function's name or ARN. Replace sid with the Sid of the policy statement that you want to remove.

Run the following add-permission AWS CLI command to add new, consolidated policy statements that include a wildcard (*), Replace my-function with your function's name or ARN. Replace sid with a new Sid of any value. Replace events.amazonaws.com with the AWS service or account principal that invokes your function. Replace arn:aws:events:region:account-id:rule/test-* with an ARN string (plus a wildcard) shared by the resources that you're granting permissions to.

Note: Triggers with wildcards in the resource-based policy might not be visible in the Lambda console. For more information, see Event-driven invocation.

For more information, see Granting function access to AWS services.