Hi,

Thanks for reaching out to us via AWS re:Post. I understand that you are having high latency while assuming a role.

I researched more on STS AssumeRole functionality and came up with following points that could help you in reducing the latency:

Firstly, I would like to mention that when making an STS assume role, your request will be reaching to a STS service endpoint and there are two types of STS endpoint. One is Global endpoint (https://sts.amazonaws.com ) and the other is Regional endpoint (https://sts .{region}.amazonaws.com). Please refer the table present in the documentation[1] to know more about the STS regions and endpoints.

That being said, all the requests made to STS service will go to a single endpoint (i.e., global endpoint: https://sts.amazonaws.com ). However, we do recommend our customers to use regional AWS STS endpoints instead of the global endpoints to reduce latency, build in redundancy, and increase session token validity. As stated in the first paragraph of documentation[2], when making your AWS STS calls to an endpoint that is geographically closer to your services and applications, you can access AWS STS services with lower latency and better response times.

Further, another important point to note is that, Session tokens from Regional AWS STS endpoints are valid in all AWS Regions whereas Session tokens from the global STS endpoint are valid only in AWS Regions that are enabled by default.

Having said that, I would suggest you to make requests to STS regional endpoints which is geographically closer to you where the client instance is hosted. Also, if you are calling STS AssumeRole for each code run i.e for each API request you are making to your DynamoDB table then your assume role code should indeed be generating a new token on each call which could be adding latency to the overall request.

Please modify and test your code as per your requirement before using it in your prod environment. Have a great day ahead!

References:

[1] Regions and endpoints https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_region-endpoints

[2] Managing AWS STS in an AWS Region https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html

[3] Writing code to use AWS STS regions https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_temp_enable-regions_writing_code

[4] AssumeRole API https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

Hi,

Thanks for writing back

You can refer the following doc->

[] AWS STS Regionalized endpoints - https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

More detail-> [] Managing AWS STS in an AWS Region - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html

In case a further dig down of the issue is needed - please feel free to reach out to us via a Support Ticket for the team to dig through the resources for any other issues on the project - I sincerely hope I was able to shed some light on the matter for you - Have a great rest of the day!