How do I resolve API throttling or "Rate exceeded" errors for IAM and AWS STS?

3 minute read
3

My application gets an error message similar to "Throttling: Rate exceeded, status code: 400" when I use AWS Identity and Access Management (IAM) and AWS Security Token Service (AWS STS).

Short description

API calls from the AWS Management Console, the AWS Command Line Interface (AWS CLI), and applications contribute to a maximum rate quota for your AWS account.

Note: You can't increase the AWS service rate quotas.

Resolution

To avoid throttling errors, follow these best practices:

  • Implement exponential backoff in your application's code. Exponential backoff allows longer waits each time an API call to AWS is throttled. The maximum number of delays and retries varies based on the application.
    Note: AWS SDK implements automatic retry logic and exponential backoff algorithms.
  • To lower the rate of API calls, some applications use caching. For example, if your application uses the AssumeRole API call for cross-account workflows, then you can store and reuse the temporary credentials for multiple cross-account calls. You also don't need to make a new AssumeRole call for each cross-account API call.
  • If your application calls AssumeRole and caches the credentials, then check the maximum session duration of the role's temporary credentials. When you lengthen the duration of the temporary credentials, you don't need to call AssumeRole as often.
  • Don't run multiple API calls at the same time, such as applications that daily call SimulatePrincipalPolicy or GenerateServiceLastAccessedDetails to audit IAM identity permissions. Instead, distribute your API calls over a longer period of time.
  • For applications that use an API call, such as CreatePolicyVersion, to dynamically change IAM policy permissions, use a method other than an API call. For example, you can use session policies when you assume an IAM role.
  • For AWS STS throttling errors, don't send all STS calls to the global endpoint. Instead, use AWS Regional STS endpoints. Each endpoint has a separate throttling quota. Regional STS endpoints can provide a faster response time on the STS API calls.
  • Because AWS accounts have separate throttling quotas, use AWS Organizations to spread the workloads across multiple accounts. There's no additional cost to create a new account and Organizations provides consolidated billing. Service control policies (SCPs) allow you to control the maximum permissions of IAM identities across an account. For more information, see Manage accounts through AWS Organizations and How do I get started with AWS Organizations?

Related information

How can I find which AWS API call is causing a "Rate exceeded" error?