AWS Cognito enforces quotas on user pools, operations, and API request rates per region. This error occurs when you exceed your account's default limits. Resolve it by requesting a quota increase or optimizing your deployment strategy.
Amazon Cognito implements quota limits to prevent abuse and manage resource allocation across accounts. When you encounter a LimitExceededException while creating a Cognito User Pool with Terraform, it means your AWS account has reached one of several type of limits: 1. **User pool quota per region**: By default, you can create up to 1,000 user pools per AWS region per account. Each region has independent quotas. 2. **API request rate limits**: Cognito restricts certain operations to 5 requests per second (RPS) per user pool by default. User authentication operations are limited to 120 RPS per region across all pools. 3. **User pool configuration limits**: Individual user pools have limits on resources like custom attributes, groups, resource servers, and identity providers. When Terraform attempts to create a Cognito User Pool and hits any of these limits, AWS returns a LimitExceededException and the `aws_cognito_user_pool` resource creation fails.
Log into your AWS Console and navigate to Amazon Cognito. Count existing user pools in the affected region, or use the AWS CLI:
aws cognito-idp list-user-pools --max-results 60 --region us-east-1This lists all user pools in the specified region. Remember that Cognito quotas are per-region per-account, so a pool in us-east-1 doesn't count toward quotas in us-west-2.
Check if Terraform is trying to create a duplicate user pool:
terraform state list | grep aws_cognito_user_poolIf the pool already exists in state but you're getting an error, refresh your state:
terraform refreshIf the pool exists in AWS but not in your Terraform state, import it:
terraform import aws_cognito_user_pool.example <user-pool-id>Get the user pool ID from the AWS Cognito Console.
If you have reached the 1,000 user pool limit, check if you can consolidate:
# List all user pools with basic info
aws cognito-idp list-user-pools --max-results 60 --region us-east-1 --query 'UserPools[*].[Id,Name,CreationDate]' --output tableReview which pools are:
- Development or testing pools no longer in use
- Duplicate pools created by accident or automation
- Pools serving the same purpose
Delete unused pools via the AWS Console or CLI:
aws cognito-idp delete-user-pool --user-pool-id <pool-id> --region us-east-1Deleting a pool frees up the quota immediately.
If you legitimately need more user pools, request a quota increase:
1. Go to AWS Service Quotas console: https://console.aws.amazon.com/servicequotas
2. Search for "Cognito"
3. Find "User pools per region" or "User pools"
4. Click on the quota and select "Request quota increase"
5. Enter your desired value (AWS typically allows increases up to 10,000+ pools)
6. Submit the request
AWS usually approves quota increase requests within minutes to a few hours. You'll receive an email confirmation. Note that quota increases are per-region, so you may need separate requests for each region you use.
If the error is related to API request rate limits rather than pool count, optimize your deployment:
# Check if you're hitting rate limits (look for TooManyRequestException in CloudWatch)
aws logs filter-log-events --log-group-name /aws/cognito/<pool-name> --filter-pattern TooManyRequestException --region us-east-1In your Terraform configuration, implement retry logic or stagger resource creation:
resource "aws_cognito_user_pool" "example" {
name = "my-pool"
# ... other config
timeouts {
create = "10m"
update = "10m"
delete = "10m"
}
}In your application, implement exponential backoff for API calls and cache authentication tokens to reduce request volume.
Once your quota increase is approved, retry your Terraform deployment:
terraform plan
terraform applyIf using CI/CD pipelines, ensure:
- Your AWS credentials have permissions to create Cognito user pools
- Your pipeline has the latest credentials with updated quotas
- Multiple parallel deployments are not creating duplicate pools
Consider adding a delay between resource creation in large deployments to avoid rate limit issues:
terraform apply -parallelism=1Per-region quota isolation: Each AWS region maintains independent quotas for Cognito. You can create 1,000 user pools in us-east-1 AND another 1,000 in us-west-2. However, API rate limits (like UserAuthentication at 120 RPS) are per-region global limits across all your pools.
Request rate limits vs. resource limits: There are two different types of limits you might hit. Resource limits are about how many things you can create (pools, users, etc.). Request rate limits are about how fast you can call APIs. The error message usually indicates which type you've exceeded.
CI/CD pipeline automation: If you're using Terraform in automated pipelines, be careful not to repeatedly create and destroy pools in loops. Each creation counts toward quotas. Consider using Terraform workspaces to avoid duplicate pool creation or implement proper state locking with a remote backend.
Monthly Active Users (MAUs): While MAUs don't cause LimitExceededException for pool creation, they affect pricing and performance throttling. AWS Cognito is free for the first 50,000 MAUs, then charges per MAU. Beyond 2 million MAUs, you may experience automatic request throttling.
Service quotas management: AWS now provides the Service Quotas console where you can see real-time utilization, set up CloudWatch alarms, and automate quota increase requests. Enable this for Cognito to proactively monitor your quota consumption.
Error: Error rendering template: template not found
How to fix "template not found" error in Terraform
Error: Error generating private key
How to fix 'Error generating private key' in Terraform
Error creating Kubernetes Service: field is immutable
How to fix "field is immutable" errors in Terraform
Error: Error creating local file: open: permission denied
How to fix "Error creating local file: permission denied" in Terraform
Error: line endings have changed from CRLF to LF
Line endings have changed from CRLF to LF in Terraform