Hello folks!
I hope you could help me here. Recently I hit the 10240 byte IAM role policy limit when deploying my stack. I was inspecting the generated template and I observed that the CreateLogGroup and PutLogEvents clauses are large because they list all of the functions in my stack. For example:
"Effect": "Allow",
"Action": [
"logs:CreateLogStream"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/foo-function:*"
},
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/bar-function:*"
},
...
I think I read somewhere that it adds an explicit entry in the Resources section for each function in my stack because I explicitly name them. Above is just an example, but I have over 20 functions and this makes the policy very large since the same happens with PutLogEvents.
Is there a way to avoid this? For example, can I tell the framework to not create this part of the policy so that I can create it manually? I looked everywhere and could not find anything useful.
Any advice is welcome and will be greatly appreciated.
Best regards,
- mess