does someone know the IAM role propagation time? I am creating roles programmatically and then use them in KMS CMK setup. In 95% of the cases the role is available to KMS within less than a few seconds. However, in around 5% of cases it takes 5 seconds and more. Is there a know metric on the latency of the system? To my knowledge its eventual consistent so expect latency but what are the SLO?
Edit: found this
after creating a role, it does take an indeterminate amount of time for that role to be available in a region. There is no way to programmatically determine when a role is available in region. The system is eventually consistent and times will vary depending on what you are trying to access. The best advice I could give you would be to wait at least 30-45 seconds for your first call and then use exponential backoff when retrying after an access denied.
https://forums.aws.amazon.com/thread.jspa?threadID=255063
This stackoverflow question is about IAM timeing in general but not fully informative: How long should I wait after applying an AWS IAM policy before it is valid?
