I did not know that there is a dependency between regions for AWS IAM service until one day when IAM had a outage, as I have never seen any relevant information in any AWS documentations.
On 23/Aug Sydney time, I notice that the IAM console is not full functional when I try to make a change to a role. The console showed errors when I try to list the roles.
Also one of my team mate was not able to login, he either got 500 or timed out, but I could login without problems.
Here is what was showing on AWS status page.
It says IAM service is operating normally in Sydney region, but actually it is not. I guess most likely it is caused by the issue (Increased Error Rates and Latencies) that was happening in Virginia region. And later I confirmed it with our AWS TAM. Per him, the Virginia region is where all IAM metadata is stored, therefor any changes have to be made to that region. That explains why I could not even list the roles when the Virginia has IAM service issues.
For the login issue that my team mate had, I guess it could be caused by that he had not logon for quite a while (couple months) so his login is not cached. The authentication request needs to be sent to the backend where the metadata is saved. As I had login recently, my login info is cached. That’s why I could login, but he could not.
One thought on “AWS IAM Dependency”