AWS Secrets Manager quotas
Secrets Manager read APIs have high TPS quotas, and control plane APIs that are less frequently called have lower TPS quotas. We recommend you avoid calling PutSecretValue or UpdateSecret at a sustained rate of more than once every 10 minutes. When you call PutSecretValue or UpdateSecret to update the secret value, Secrets Manager creates a new version of the secret. Secrets Manager removes unlabeled versions when there are more than 100, but it does not remove versions created less than 24 hours ago. If you update the secret value more than once every 10 minutes, you create more versions than Secrets Manager removes, and you will reach the quota for secret versions.
You may operate multiple regions in your account, and each quota is specific to each region.
When an application in one AWS account uses a secret owned by a different account, it's known as a cross-account request. For cross-account requests, Secrets Manager throttles the account of the identity that makes the requests, not the account that owns the secret. For example, if an identity from account A uses a secret in account B, the secret use applies only to the quotas in account A.
Secrets Manager quotas
| Name | Default | Adjustable | Description |
|---|---|---|---|
| Combined rate of DeleteResourcePolicy, GetResourcePolicy, PutResourcePolicy, and ValidateResourcePolicy API requests | Each supported Region: 50 per second | No | The maximum transactions per second for DeleteResourcePolicy, GetResourcePolicy, PutResourcePolicy, and ValidateResourcePolicy API requests combined. |
| Combined rate of DescribeSecret and GetSecretValue API requests | Each supported Region: 10,000 per second | No | The maximum transactions per second for DescribeSecret and GetSecretValue API requests combined. |
| Combined rate of PutSecretValue, RemoveRegionsFromReplication, ReplicateSecretToRegion, StopReplicationToReplica, UpdateSecret, and UpdateSecretVersionStage API requests | Each supported Region: 50 per second | No | The maximum transactions per second for PutSecretValue, RemoveRegionsFromReplication, ReplicateSecretToRegion, StopReplicationToReplica, UpdateSecret, and UpdateSecretVersionStage API requests combined. |
| Combined rate of RestoreSecret API requests | Each supported Region: 50 per second | No | The maximum transactions per second for RestoreSecret API requests. |
| Combined rate of RotateSecret and CancelRotateSecret API requests | Each supported Region: 50 per second | No | The maximum transactions per second for RotateSecret and CancelRotateSecret API requests combined. |
| Combined rate of TagResource and UntagResource API requests | Each supported Region: 50 per second | No | The maximum transactions per second for TagResource and UntagResource API requests combined. |
| Rate of BatchGetSecretValue API requests | Each supported Region: 100 per second | No | The maximum transactions per second for BatchGetSecretValue API requests. |
| Rate of CreateSecret API requests | Each supported Region: 50 per second | No | The maximum transactions per second for CreateSecret API requests. |
| Rate of DeleteSecret API requests | Each supported Region: 50 per second | No | The maximum transactions per second for DeleteSecret API requests. |
| Rate of GetRandomPassword API requests | Each supported Region: 50 per second | No | The maximum number of all other Secrest Manager API requests you can make per second in this account. |
| Rate of ListSecretVersionIds API requests | Each supported Region: 50 per second | No | The maximum transactions per second for ListSecretVersionIds API requests. |
| Rate of ListSecrets API requests | Each supported Region: 100 per second | No | The maximum transactions per second for ListSecrets API requests. |
| Resource-based policy length | Each supported Region: 20,480 | No | The maximum number of characters in a resource-based permissions policy attached to a secret. |
| Secret value size | Each supported Region: 65,536 Bytes | No | The maximum size of an encrypted secret value. If the secret value is a string, then this is the number of characters permitted in the secret value. |
| Secrets | Each supported Region: 500,000 | No | The maximum number of secrets in each AWS Region of this AWS account. |
| Staging labels attached across all versions of a secret | Each supported Region: 20 | No | The maximum number of staging labels attached across all versions of a secret. |
| Versions per secret | Each supported Region: 100 | No | The maximum number of versions of a secret. |
Add retries to your application
Your AWS client might see calls to Secrets Manager fail due to unexpected issues on the client side. Or calls might fail due to rate limiting from Secrets Manager. When you exceed an API request quota, Secrets Manager throttles the request. It rejects an otherwise valid request and returns a throttling error. For both kinds of failures, we recommend you retry the call after a brief waiting period. This is called a backoff and retry strategy.
If you experience the following errors, you might want to add retries to your application code:
Transient errors and exceptions
-
RequestTimeout -
RequestTimeoutException -
PriorRequestNotComplete -
ConnectionError -
HTTPClientError
Service-side throttling and limit errors and exceptions
-
Throttling -
ThrottlingException -
ThrottledException -
RequestThrottledException -
TooManyRequestsException -
ProvisionedThroughputExceededException -
TransactionInProgressException -
RequestLimitExceeded -
BandwidthLimitExceeded -
LimitExceededException -
RequestThrottled -
SlowDown
For more information, as well as example code, on retries, exponential backoff, and jitter, see the following resources:
