Comments (6)
allquixotic
commented on June 12, 2024
This is affecting my organization in a PROD deploy right now. It's not the same organization as the one this issue was reported for.
from aws-iam-identity-center-extensions.
leelalagudu
commented on June 12, 2024
@allquixotic , @jjleigh - ACK on the issue. For context, this is how the solution should behave:
- When an account assignment operation, with root, acount_tag, ou_id scope is provisioned, the solution triggers of a state machine in the ORG main account to discover the list of target AWS accounts that resolve to that scope.
- The state machine is designed such that it only posts a maximum of 5 account assignment payloads (in parallel) at any given time.
- It then posts account assignment creation/deletion payloads to an SNS topic that has cross account lambda subscriber from the
targetaccount - This subscriber then puts the payload into a FIFO queue using combination of target account, permission set and operation(create/delete) as the message group ID
- The FIFO queue subscriber has a batch size of 10 enforced i.e. it would not process any more than 10 account assignments at a given time.
- Additionally, the subscriber would only remove the payload from the queue only after the account assignment is successfully created/deleted/operation timed out/SSO admin API returns an error back
- These limits are set with the expectation that the standard SSO admin API throttle limit is 10.
I believe the missing part here is a mandatory wait enforcement between each pagination operation in the state machine. Because this was missing, the state machine keeps processing the pages and overloads the FIFO queue. We did enforce this pattern on the current config import/ region switch state machines.
We will amend the state machines to fit in with this behaviour and ask @jmejco / @tamara-h to validate on a demo set up that has more than 50 accounts under an account_tag/ou_id/root scope and check if the enforced wait between pages resolves the issue. We're on public holiday here in the UK until 5th June and as such they could validate the behaviour on 6th June.
Hope this helps,
Leela
from aws-iam-identity-center-extensions.
allquixotic
commented on June 12, 2024
I set sleep statements in my Directory Service to SSO migration code that slow down the import and worked around this for my purposes, but it should definitely be resolved in the SSO Extensions code.
from aws-iam-identity-center-extensions.
jjleigh
commented on June 12, 2024
@leelalagudu Thank you for the update!
from aws-iam-identity-center-extensions.
leelalagudu
commented on June 12, 2024
Thanks for the udpate @allquixotic , at least this confirms my hypothesis theoretically. As updated, we will go ahead with this design change and load test the solution as part of the PR release.
from aws-iam-identity-center-extensions.
leelalagudu
commented on June 12, 2024
@jjleigh , @allquixotic , mandatory wait enforcement between each page is now in the solution through #89 . This should handle the throttling exceptions you are seeing.
Please do let us know if this fixed your issue,
Leela
from aws-iam-identity-center-extensions.
Related Issues (20)
- Update Deprecated Lambda Runtimes nodejs 12.x HOT 1
- Workshop updates HOT 1
- Unhandled exceptions when upgrading to 3.1.7 HOT 8
- Permission sets aren't provisioning in 3.1.7 HOT 3
- Unable to deploy 3.1.7
- Permission set doesn't update despite all good signs
- Trio of exception emails when uploading new permission sets
- Restricting creating Permission Sets without attaching the Permission Boundary for the same. HOT 1
- yarn install doesn't work HOT 1
- "User is missing the following permissions" error when trying to region switch HOT 1
- 3.2.0 introduces resource update behaviour bugs for IAM roles HOT 1
- Permission set schema doesn't handle NotAction and NotResource HOT 6
- Account provisioning does not work for tripple nested OUs HOT 4
- Permission sets failing to create with no SNS error HOT 9
- Option to make APIs / S3 uploads "always update" the solution HOT 2
- Space in group or user name should raise error
- Add customer managed policy and permission boundaries HOT 2
- Typo in Json Schema HOT 3
- AWS SSO renamed to AWS IAM Identity Center HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-iam-identity-center-extensions.