Error: Maximum policy size of xxx bytes exceeded for Lambda xxx.

We can assign lambda function in Lex Intents. This gives lots of power to our bot, we can do lots of stuff with lambda. But there is a problem - when we assign lambda in intent, it asks for invocation permission and when we give that permission, it adds that as function policy to lambda. This works fine till we have so many intents that we exceed the limit of policy document length. Once we add lambda to so many intents, that function policy document is at its limit, we can't that lambda to any more intents.

Debug:

The problem is, it's not easy to find where these policies are going and where it's adding whenever we give permission for each intent. So it's hidden under this small button (screenshots below). This button is only visible if you have access to  lambda:GetPolicy action.view-permissionslambda-function-policy

Solution:

The solution would be - instead of adding permission for every intent individually, we could add permission for all intents. That will reduce policy document size and we can live peacefully. But we can only see the function policy (if we have permission to lambda:GetPolicy) document in the console; we can't modify it from console interface. We have to do it via APIs - either command-line interface or SDKs. The API which will be able to do this is: lambda:AddPermission. If you are a python expert, just use boto3 API and use add_permission (https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/lambda.html#Lambda.Client.add_permission)

Function Policy Document Before:

"Statement": [
{
"Sid": "lex-us-east-1-my_first_intent",
"Effect": "Allow",
"Principal": {
"Service": "lex.amazonaws.com"
},
"Action": "lambda:invokeFunction",
"Resource": "arn:aws:lambda:us-east-1:xxx:function:My_Lex_Lambda",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:lex:us-east-1:xxx:intent:my_first_intent:*"
}
}
},
{
"Sid": "lex-us-east-1-my_second_intent",
"Effect": "Allow",
"Principal": {
"Service": "lex.amazonaws.com"
},
"Action": "lambda:invokeFunction",
"Resource": "arn:aws:lambda:us-east-1:xxx:function:My_Lex_Lambda",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:lex:us-east-1:xxx:intent:my_second_intent:*"
}
}
},
# ... all other intents in which this lambda assigned
]

Function Policy Document After:

"Statement": [
{
"Sid": "lex-us-east-1-my_bot",
"Effect": "Allow",
"Principal": {
"Service": "lex.amazonaws.com"
},
"Action": "lambda:invokeFunction",
"Resource": "arn:aws:lambda:us-east-1:xxx:function:My_Lex_Lambda",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:lex:us-east-1:xxx:intent:*"
}
}
}
]

Posts You May Like...