Maximum policy size of 10240 bytes exceeded for role amplify-reactapp-test--amplifyAuthtrainerGroupRo-LVRCnC3s1MLV

[ykethan]

Environment information

System:
  OS: macOS 15.3.2
  CPU: (8) arm64 Apple M1
  Memory: 152.20 MB / 16.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 20.18.2 - ~/.nvm/versions/node/v20.18.2/bin/node
  Yarn: 1.22.22 - /opt/homebrew/bin/yarn
  npm: 10.8.2 - ~/.nvm/versions/node/v20.18.2/bin/npm
  pnpm: 9.15.2 - ~/Library/pnpm/pnpm
NPM Packages:
  @aws-amplify/auth-construct: 1.6.1
  @aws-amplify/backend: 1.14.3
  @aws-amplify/backend-ai: Not Found
  @aws-amplify/backend-auth: 1.5.1
  @aws-amplify/backend-cli: 1.5.0
  @aws-amplify/backend-data: 1.4.1
  @aws-amplify/backend-deployer: 1.1.20
  @aws-amplify/backend-function: 1.12.3
  @aws-amplify/backend-output-schemas: 1.4.1
  @aws-amplify/backend-output-storage: 1.1.5
  @aws-amplify/backend-secret: 1.2.0
  @aws-amplify/backend-storage: 1.2.6
  @aws-amplify/cli-core: 1.4.1
  @aws-amplify/client-config: 1.5.8
  @aws-amplify/data-construct: 1.15.1
  @aws-amplify/data-schema: 1.20.1
  @aws-amplify/deployed-backend-client: 1.5.2
  @aws-amplify/form-generator: 1.0.5
  @aws-amplify/model-generator: 1.0.13
  @aws-amplify/platform-core: 1.6.5
  @aws-amplify/plugin-types: 1.8.1
  @aws-amplify/sandbox: 1.2.12
  @aws-amplify/schema-generator: 1.2.8
  aws-amplify: 6.13.6
  aws-cdk: 2.1005.0
  aws-cdk-lib: 2.185.0
  typescript: 5.8.2
No AWS environment variables
No CDK environment variables

Describe the bug

report: https://discord.com/channels/705853757799399426/1352000944920989828/1352000944920989828

storage with multiple paths and groups access fails with

"Maximum policy size of 10240 bytes exceeded for role amplify-reactapp-test--amplifyAuthtrainerGroupRo-LVRCnC3s1MLV 

this is due to IAM limit Role policy size can't exceed 10,240 characters. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length

not for fix: currently the limit for Managed policies per role is 10

Reproduction steps

import { defineStorage } from "@aws-amplify/backend";
import { test1 } from "../functions/test-function/resource";
import { test2 } from "../functions/test-function1/resource";

export const storage = defineStorage({
  name: "js-main-test",
  isDefault: true,
  access: (allow) => ({
    "patient-id-photo/*": [
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
    ],
    "referrals/*": [
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
    ],
    "insurance-photos/*": [
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
    ],
    "clinical-notes/*": [
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
    ],
    "status-summaries/*": [
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
    ],
    "visit-summaries/*": [
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
    ],
    "case-documents/*": [
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
    ],
    "member-photo/*": [
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
    ],
    "outcomes-entry-summary/*": [
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
    ],
    "fitness-plan-documents/*": [
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
    ],
    "peak-members/*": [
      allow.authenticated.to(["write"]),
      allow.groups(["admin", "sadmin", "clinician", "trainer"]).to(["write"]),
    ],
    "exercise-images-output/*": [
      allow.guest.to(["read"]),
      allow.authenticated.to(["read"]),
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
      allow.resource(test1).to(["write"]),
    ],
    "exercise-videos-output/*": [
      allow.guest.to(["read"]),
      allow.authenticated.to(["read"]),
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
      allow.resource(test2).to(["write"]),
    ],
    "document-header-logo-output/*": [
      allow.guest.to(["read"]),
      allow.authenticated.to(["read"]),
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
      allow.resource(test2).to(["write"]),
    ],
    "document-header-logo-output1/*": [
      allow.guest.to(["read"]),
      allow.authenticated.to(["read"]),
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
      allow.resource(test2).to(["write"]),
    ],
    "document-header-logo-output2/*": [
      allow.guest.to(["read"]),
      allow.authenticated.to(["read"]),
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
      allow.resource(test2).to(["write"]),
    ],
    "document-header-logo-output3/*": [
      allow.guest.to(["read"]),
      allow.authenticated.to(["read"]),
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
      allow.resource(test2).to(["write"]),
    ],
    "document-header-logo-output4/*": [
      allow.guest.to(["read"]),
      allow.authenticated.to(["read"]),
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
      allow.resource(test2).to(["write"]),
    ],
    "document-header-logo--abjfjksdnfjsdfwefewf-output/*": [
      allow.guest.to(["read"]),
      allow.authenticated.to(["read"]),
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
      allow.resource(test2).to(["write"]),
    ],
    "document-header-logo--abjfjksdnfjsdfwefewfewee-output/*": [
      allow.guest.to(["read"]),
      allow.authenticated.to(["read"]),
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
      allow.resource(test2).to(["write"]),
    ],
    "document-header-logo--abjfjksdnfjsdfwefewfaffef-output/*": [
      allow.guest.to(["read"]),
      allow.authenticated.to(["read"]),
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
      allow.resource(test2).to(["write"]),
    ],
    "document-header-logo--abjfjksdnfjsdfwefewfewfwe-output/*": [
      allow.guest.to(["read"]),
      allow.authenticated.to(["read"]),
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
      allow.resource(test2).to(["write"]),
    ],
  }),
});

export const imagesInputBucket = defineStorage({
  name: "js-main-images-input",
  access: (allow) => ({
    "exercise-images-input/*": [
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
    ],
    "document-header-logo-input/*": [
      allow.guest.to(["read"]),
      allow.authenticated.to(["read"]),
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
    ],
  }),
  triggers: {
    onUpload: test1,
  },
});

export const videosInputBucket = defineStorage({
  name: "js-main-videos-input",
  access: (allow) => ({
    "exercise-videos-input/*": [
      allow
        .groups(["admin", "sadmin", "clinician", "trainer"])
        .to(["read", "write", "delete"]),
    ],
  }),
  triggers: {
    onUpload: test1,
  },
});