Invalid PermissionsPolicy Document: Member must have length less than or equal to 1024 about cloudformation-coverage-roadmap HOT 3 CLOSED

This error is related to the statusMessage being too large. This is because the entire policy is part of the payload. More than likely your policy is invalid and the back end API is having issues with it.

For instance this policy with invalid resources:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Action": [
        "aps:*",
        ...(redacted)
      ],
      "Resource": []
    }
  ]
}

will result in the error
Value 'Invalid PermissionsPolicy Document ... at 'statusMessage' failed to satisfy constraint: Member must have length less than or equal to 1024

I've been able to create inline policies larger than 1024 without issues. I'm willing to re-open if I've missed something.

from cloudformation-coverage-roadmap.

@kddejong, thanks for the quick response. I appreciate the help.

Now I see two problems:

• My policy was invalid and Identity Center rejected it
• CloudFormation misled me by presenting irrelevant internal details

It's my job to fix the invalid policy.

I'd like the service team to improve the presentation of such errors.

Just this would have been fine:

Invalid PermissionsPolicy Document {...}. (Service: SsoAdmin, Status Code: 400, Request ID: ...)

This part misled me:

1 validation error detected: Value '...' at 'statusMessage' failed to satisfy constraint: Member must have length less than or equal to 1024

As a customer I don't want to see that CloudFormation has some limit of 1024. It still printed all the characters anyway!

Is that a good topic for a GitHub issue in this repo?

If not, I can use a support case to pass on the request.

from cloudformation-coverage-roadmap.

In case anyone else runs into this, I'll share how I solved it.

• Use cfn-policy-validator to parse all the policies out of the CloudFormation template and write them out in JSON
• Use jq to extract the inline policy from the modified permission set
• Use parliament to validate the inline policy and find the root cause

cfn-policy-validator parse --template-path ... --region ... --parameters ... > policies.json

jq < policies.json '
    .
    | .PermissionSets[] | select(.Name == "...")
    | .Policies[] | select(.Name == "InlinePolicy")
    | .Policy
' \
> inline_policy.json

parliament --json --file inline_policy.json | jq -s

In my case, the root cause was spaces in a new sid. Oops!

  {
    "issue": "INVALID_SID",
    "title": "Invalid SID",
    "severity": "LOW",
    "description": "Statement Sid does match regex [0-9A-Za-z]*",
    "detail": null,
    "location": {
      "string": "A long sid with spaces to make it readable",
      "line": 4,
      "column": 14,
      "filepath": "inline_policy.json"
    }
  }

from cloudformation-coverage-roadmap.