"PackedPolicyTooLarge" error when generating AWS credentials

When generating AWS secrets in Vault the following error was returned 

Error reading aws/sts/0fxxxxd-uat-877xxxx445: Error making API request.
 

URL: GET https://vault_host:8200/v1/aws/sts/0fxxxxd-uat-877xxxx445

Code: 400. Errors:

* Error assuming role: PackedPolicyTooLarge: Packed policy consumes 119% of allotted space, please use smaller policy.

status code: 400, request id: a0ac94ac-7648-4f51-82af-1221afbc3600

The cause for this is the configuration of the role in Vault is using the credential_type of assumed_role (the same applies to other credential_type) and the policy_document contains a long list of policies exceeding size limits. When calling the sts:Assumerole endpoint to receive the credentials, the policies as specified in policy_document will be stored in the session token which underlies the AWS PackedPolicySize limit. The error is returned when the session token exceeds those limits. 

Below are two possible solutions to address the issue: 

Solution 1

• Review the KB article "How do I resolve the "PackedPolicyTooLarge" error when I assume an IAM role through AWS STS?" by AWS for possible options to reduce the size of the session token. 

Solution 2

• Do not use policy_document to apply the policies to the credentials, instead create a policy in AWS and use the option policy_arns in the role configuration to point to the policy in AWS

Additional Information

• Vault AWS secrets engine

• Vault AWS secrets engine (API)

• PackedPolicyTooLargeException

• IAM and STS character limits

• How do I resolve the "PackedPolicyTooLarge" error when I assume an IAM role through AWS STS?