By using AWS re:Post, you agree to the Terms of Use

Assume role adding latency to over API request

0

I am using assume role for my application to access dynamodb cross region and cross account. I see that if the same local table is accessed without assume role the latency is low and I assume a role and try to access the same table the p99 latency of my API request goes up. The dynamodb latency is constant though. I am using go-sdk and I have configured region when creating the session. Also, ensured that the session is created only once and re-used for each dynamodb request.

2 Answers
1

Hi,

Thanks for reaching out to us via AWS re:Post. I understand that you are having high latency while assuming a role.

I researched more on STS AssumeRole functionality and came up with following points that could help you in reducing the latency:

Firstly, I would like to mention that when making an STS assume role, your request will be reaching to a STS service endpoint and there are two types of STS endpoint. One is Global endpoint (https://sts.amazonaws.com ) and the other is Regional endpoint (https://sts .{region}.amazonaws.com). Please refer the table present in the documentation[1] to know more about the STS regions and endpoints.

That being said, all the requests made to STS service will go to a single endpoint (i.e., global endpoint: https://sts.amazonaws.com ). However, we do recommend our customers to use regional AWS STS endpoints instead of the global endpoints to reduce latency, build in redundancy, and increase session token validity. As stated in the first paragraph of documentation[2], when making your AWS STS calls to an endpoint that is geographically closer to your services and applications, you can access AWS STS services with lower latency and better response times.

Further, another important point to note is that, Session tokens from Regional AWS STS endpoints are valid in all AWS Regions whereas Session tokens from the global STS endpoint are valid only in AWS Regions that are enabled by default.

Having said that, I would suggest you to make requests to STS regional endpoints which is geographically closer to you where the client instance is hosted. Also, if you are calling STS AssumeRole for each code run i.e for each API request you are making to your DynamoDB table then your assume role code should indeed be generating a new token on each call which could be adding latency to the overall request.

Please modify and test your code as per your requirement before using it in your prod environment. Have a great day ahead!

References:

[1] Regions and endpoints https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_region-endpoints

[2] Managing AWS STS in an AWS Region https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html

[3] Writing code to use AWS STS regions https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_temp_enable-regions_writing_code

[4] AssumeRole API https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

answered a month ago
  • Hi,

    I have tried providing region in my STS call but that does not resolve the problem of high latency. Is there way I can ensure that my STS request is going to the regional end point and not the global one ?

    Thanks

1

Hi,

Thanks for writing back

You can refer the following doc->

[] AWS STS Regionalized endpoints - https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

More detail-> [] Managing AWS STS in an AWS Region - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html

In case a further dig down of the issue is needed - please feel free to reach out to us via a Support Ticket for the team to dig through the resources for any other issues on the project - I sincerely hope I was able to shed some light on the matter for you - Have a great rest of the day!

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions