-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
On AWS Organizations with many accounts populate fails. #112
Comments
@arnvid How often does it happen to you? The biggest identity center instance I work with just now gives me about 200 roles. Here aws-sso-util sometimes gives me the same error. It almost always works when I retry the command. |
As far as I can tell aws-sso-util doesn't do anything that should obviously exceed a rate limit. It instantiates the SSO client ẁith implicit default retry handling. aws-sso-util/cli/src/aws_sso_util/populate_profiles.py Lines 305 to 309 in 9290b84
It starts a loop to call ListAccountRoles. aws-sso-util/cli/src/aws_sso_util/populate_profiles.py Lines 341 to 342 in 9290b84
It continues the loop until there are no more result pages. aws-sso-util/cli/src/aws_sso_util/populate_profiles.py Lines 361 to 365 in 9290b84
The Identity Center documentation says its APIs have a collective throttle maximum of 20 transactions per second. I'm unsure what that means in practice. Does that limit apply to all users of the ListAccountRoles API? It seems like a low limit. |
You may be able to avoid the throttling errors by setting environment variables to control the SDK retry behavior. I'd try something like this: export AWS_RETRY_MODE=standard AWS_MAX_ATTEMPTS=100 The standard retry mode classes HTTP status code 429 as a transient error and so would automatically retry. |
It happends everytime on our production SSO. About 396 profiles before adding PIM'd roles. |
With these added I can get through: Gathering accounts and roles |
Thanks for confirming that those environment variables allow you to write the profiles. And thanks for sharing info about the number of roles you have. My guess is that it's more likely to happen with a longer list of roles. I think the next step would be to set up a lab environment with a variable number of roles between 100 and 1000 and see whether it's more likely at the bigger end of the scale. If someone can reproduce the throttling error in a lab environment then maybe they could adjust the paging behavior to work without needing the user to set any environment variables. |
Someone reported the same problem in #97 (comment). Earlier I proposed this solution:
Nice idea, but it sounds like a lot of work to compensate for bad API behavior on the AWS side. I propose we configure the client that calls |
I'm nearing the end of my time off, and I plan on fully re-engaging with all of my projects, but realistically it means nothing is going to be addressed until early next year. |
Finally back to this. I think the right way to solve this is to spread out the calls to match the right API rate limit. Do we know what that is? |
The Identity Center Quotas page says only this about rates:
It's not clear to me whether 20 TPS applies only to the instance APIs or also to the Portal APIs. Even if it does apply to the Portal, a single client's limit can be a lot less than 20 TPS. It's not clear to me what "collective throttle maximum" means. Is it one quota for all clients of one Identity Center instance? Any way to get a clarification from the Identity Center service team on this? |
I haven't measured that. It was just a guess and it may be wrong. For what it's worth, Granted uses a rate limit of 20 TPS to call ListAccountRoles. // Setting the rate limit to 20 since IAM Identity Center APIs have a throttle maximum of 20 transactions per second (TPS) (https://docs.aws.amazon.com/singlesignon/latest/userguide/limits.html)
rl := uberratelimit.New(20) I can't read Go well enough to understand how it handles throttling errors. |
We are seeing the error TooManyRequestsException when calling the ListAccountRoles operation for our AWS Organization.
cmd line used:
aws-sso-util configure populate -r eu-west-1 --force-refresh -u https://d-xxxxxxxxxx.awsapps.com/start
Logging in to https://d-xxxxxxxxx.awsapps.com/start
Login with IAM Identity Center required.
Attempting to open the authorization page in your default browser.
If the browser does not open or you wish to use a different device to
authorize this request, open the following URL:
https://device.sso.eu-west-1.amazonaws.com/
Then enter the code:
XXXX-XXXX
Gathering accounts and roles
Traceback (most recent call last):
File "/Users/arnvid/.local/bin/aws-sso-util", line 8, in
sys.exit(cli())
^^^^^
File "/Users/arnvid/.local/pipx/venvs/aws-sso-util/lib/python3.11/site-packages/click/core.py", line 1157, in call
return self.main(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/arnvid/.local/pipx/venvs/aws-sso-util/lib/python3.11/site-packages/click/core.py", line 1078, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/Users/arnvid/.local/pipx/venvs/aws-sso-util/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/arnvid/.local/pipx/venvs/aws-sso-util/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/arnvid/.local/pipx/venvs/aws-sso-util/lib/python3.11/site-packages/click/core.py", line 1434, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/arnvid/.local/pipx/venvs/aws-sso-util/lib/python3.11/site-packages/click/core.py", line 783, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/arnvid/.local/pipx/venvs/aws-sso-util/lib/python3.11/site-packages/aws_sso_util/populate_profiles.py", line 342, in populate_profiles
response = client.list_account_roles(**list_role_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/arnvid/.local/pipx/venvs/aws-sso-util/lib/python3.11/site-packages/botocore/client.py", line 535, in _api_call
return self._make_api_call(operation_name, kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/arnvid/.local/pipx/venvs/aws-sso-util/lib/python3.11/site-packages/botocore/client.py", line 980, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.TooManyRequestsException: An error occurred (TooManyRequestsException) when calling the ListAccountRoles operation (reached max retries: 4): HTTP 429 Unknown Code
The text was updated successfully, but these errors were encountered: