How can I resolve API throttling or "Rate exceeded" errors for IAM and AWS STS?

3 minute read
1

My application gets an error message similar to "Throttling: Rate exceeded, status code: 400,".

Short description

API calls from the AWS Management Console, the AWS Command Line Interface (AWS CLI), and applications contribute to a maximum rate limit for your AWS account.

Note: You can't increase the AWS service rate limits.

Resolution

To avoid throttling errors, follow these best practices:

  • Implement exponential backoff in your application's code. Exponential backoff allows longer waits each time an API call to AWS is throttled. Depending on the application, the maximum number of delays and the maximum number of retries can vary.
    Note: AWS SDK implements automatic retry logic and exponential backoff algorithms.
  • Some applications can implement caching to lower the rate of API calls. For example, suppose your application calls the API call AssumeRole for a cross-account workflow.This means that the temporary credentials that you received can be stored and reused for multiple cross-account calls. Also, you don't need to make a new AssumeRole call for each cross-account API call made.
  • If your application calls AssumeRole and caches the credentials, then check the maximum session duration of the role's temporary credentials. When you lengthen the duration of the temporary credentials, you don't need to call AssumeRole as often.
  • Spread your API calls over a longer period of time instead of calling the APIs all at once. For example, applications that have a daily job calling SimulatePrincipalPolicy or GenerateServiceLastAccessedDetails to audit permissions for AWS Identity and Access Management (IAM) users and roles. Rather than run the API calls at the same time, you can stagger them.
  • For applications that dynamically change IAM policy permissions using API calls like CreatePolicyVersion, consider another method. For example, you can use session policies during IAM role assumption.
  • For AWS Security Token Service (AWS STS) throttling errors, use AWS Regional STS endpoints instead of sending all AWS STS calls to the global endpoint. Each endpoint has a separate throttling limit. Regional AWS STS endpoints can provide applications a faster response time on the AWS STS API calls.
  • Because AWS accounts have separate throttling limits, consider spreading the workloads across multiple accounts using AWS Organizations. Creating new AWS accounts are at no additional cost and Organizations provides consolidated billing. Service control policies (SCPs) allow you to control the maximum permissions of IAM users and roles across an AWS account. For more information, see Manage accounts through AWS Organizations and How do I get started with AWS Organizations?

Related information

How do I automatically create tables in Amazon Athena to search through AWS CloudTrail logs?

How can I find which API call is causing the "Rate exceeded" error?

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago