How can I resolve API throttling or "Rate exceeded" errors for IAM and AWS STS?

Last updated: 2022-01-24

My application is getting an error message similar to the following:

"Throttling: Rate exceeded, status code: 400,"

Short description

API calls from the AWS Management Console, the AWS Command Line Interface (AWS CLI), and applications contribute to a maximum rate limit for your AWS account.

Note: The AWS service rate limits can't be increased.

Resolution

Follow these best practices to avoid throttling errors.

  • Implement exponential backoff in your application's code. Exponential backoff allows longer waits each time an API call to AWS is throttled. Depending on the application, the maximum number of delays and the maximum number of retries can vary.
    Note: AWS SDK implements automatic retry logic and exponential backoff algorithms.
  • Some applications can implement caching to lower the rate of API calls. For example, if your application calls the API call AssumeRole for a cross-account workflow, the temporary credentials you received can be stored and reused for multiple cross-account calls. This means that you don't need to make a new AssumeRole call for each cross-account API call made.
  • If your application is calling AssumeRole and caching the credentials, you can check the maximum session duration of the role's temporary credentials. Lengthening the duration of the temporary credentials makes sure that you don't need to call AssumeRole as often.
  • Spread your API calls over a longer period of time instead of calling the APIs all at once. For example, applications that have a daily job calling SimulatePrincipalPolicy or GenerateServiceLastAccessedDetails to audit permissions for AWS Identity and Access Management (IAM) users and roles. You can stagger the API calls instead of running them at the same time.
  • For applications that dynamically change IAM policy permissions using API calls like CreatePolicyVersion, consider another method. For example, you can use session policies during IAM role assumption.
  • For AWS Security Token Service (AWS STS) throttling errors, consider using Regional STS endpoints instead of sending all AWS STS calls to the global endpoint. Each endpoint has a separate throttling limit. Using Regional AWS STS endpoints can provide applications a faster response time on the AWS STS API calls.
  • If you're not sure which IAM user or role in your AWS account is making a large amount of API calls, use AWS CloudTrail to view Event history.You can also use Amazon Athena to run SQL queries and filter CloudTrail logs. For instructions, see How can I find which API call is causing the "Rate exceeded" error?
  • Because AWS accounts have separate throttling limits, consider spreading the workloads across multiple accounts using AWS Organizations. Creating new AWS accounts are at no additional cost and Organizations provides consolidated billing. Using Service control policies (SCPs) allow you to control the maximum permissions of IAM users and roles across an AWS account. For more information, see Manage accounts through AWS Organizations and How do I get started with AWS Organizations?