By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Check ARNs for AssumeRole regularly not hitting quota limits

0

Hello,

we need to do a regular check of all our customers who gave us permissions for AssumeRole in case they drop the permission/role/user. In respect to quota limits, what would be the best possible way of doing that? I am thinking:

  • For each customer account (ARN)
  • Perform AssumeRole for that ARN
  • Perform some "ping" operation (e.g. DescribeRegions)
  • Delay so we don't hit the service quota limits (e.g. DescribeRegions has 20 operations per second bucket).

It is not clear how service quota limits are applied when doing AssumeRole. Is that applied against ours (service) account, or customer (assumed) account?

What are the limits for the STS operations, specifically AssumeRole? There is not much in the docs in this regard, or I am missing it.

Is there some always-available "ping" operation we could call or some STS API request that would confirm us that the ARN is valid?

Is there a place we can check the consumption of quota limits so we can fine-tune our background checker?

Thanks

Topics
Security, Identity, & ComplianceServerlessFront-End Web & MobileNetworking & Content DeliveryManagement & Governance
Tags
Security, Identity, & ComplianceAmazon API GatewayAWS Account ManagementService Quotas
Language
English
lzap
asked a year ago225 views
1 Answer
1
Accepted Answer

If you do an sts:AssumeRole call, it will either work or you will get an Access denied, so just do a Try/Catch. So you already know if the role exists and if you can access it, so no need for Pinging.

If you want to confirm the roles access, the best would be to use the Role (in the customer account) to describe itself and have a look at its policy. (Be aware of Deny statements and permissions bounders).

The sts:AssumeRole call is counted in your Account, and anything you do with the Role you assumed will be counted against the Account of the Role you assumed.

I could not find any official limit on the sts:AssumeRole call either, but AWS has (on some services) dynamic limits (they will change after your usage). However, STS is a core building block of AWS so it should be able to handle anything you through at it. But you should ALWAYS configure retries in all your AWS SDK Clients, this is a python boto3 example, but every language has its own implementation with the same logic. You want to use the standard mode :) https://boto3.amazonaws.com/v1/documentation/api/latest/guide/retries.html

Beware that retries can cause long executions, so combined with lambda, you often get "Timeouts" that mask the underlying AWS Call. So Be generous with the lambda logging and execution time.

Hope it helps and good luck!

profile picture
Carl Ostrand
answered a year ago
  • lzap
    a year ago

    Thank you very much for such elaborative answer. Really appreciate this!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content