How to fix Error: Error creating KMS Key: LimitExceededException in Terraform

TerraformINTERMEDIATEHIGH

The LimitExceededException error occurs when you exceed AWS KMS quotas during Terraform apply. This typically happens when creating too many KMS keys or hitting request rate limits in a region. AWS KMS has default limits like 100,000 customer-managed keys per region and rate limits for cryptographic operations.

What this error means

The LimitExceededException is thrown by AWS KMS when an operation exceeds one of the service's imposed quotas or rate limits. AWS KMS enforces two types of limits: resource limits (like the maximum number of keys per region) and request quotas (like the number of cryptographic operations per second). When Terraform attempts to create a KMS key and this operation violates either type of limit, AWS rejects the request with this exception.

How to fix "Error: Error creating KMS Key: LimitExceededException"

1Check your current KMS key usage in the region

Use the AWS CLI to list all KMS keys in your region to understand your current usage:

bash

aws kms list-keys --region us-east-1
aws kms list-keys --region us-east-1 | jq '.Keys | length'

This shows you the total number of customer-managed KMS keys already created. Compare this to the default limit of 100,000 keys per region.

2Review AWS Service Quotas for your region

Check the AWS Service Quotas console for KMS limits in your account:

bash

aws service-quotas list-service-quotas --service-code kms --region us-east-1

Look for quotas like:
- Customer managed KMS keys
- Cryptographic operation request rates
- The applicable quota for your region

This helps determine if you're hitting a resource limit or a rate limit.

3Identify unused or duplicate KMS keys

Check if you have KMS keys that are no longer needed:

bash

aws kms describe-key --key-id <key-id> --region us-east-1
aws kms list-aliases --region us-east-1 | grep <key-id>

If you find unused keys, schedule them for deletion using a 7-day wait period:

bash

aws kms schedule-key-deletion --key-id <key-id> --pending-window-in-days 7 --region us-east-1

4Reduce parallelism in Terraform if hitting rate limits

If the issue is request rate limits (not key count), reduce parallel operations:

bash

terraform apply -parallelism=2

Alternatively, add retry logic in your Terraform provider configuration:

hcl

provider "aws" {
  region = "us-east-1"
  
  assume_role {
    role_arn = "arn:aws:iam::ACCOUNT:role/ROLE"
  }
}

Terraform and the AWS provider will automatically retry ThrottlingException errors with exponential backoff.

5Request a quota increase if needed

If you legitimately need more KMS keys or higher request rates, request a quota increase through the AWS Service Quotas console:

1. Go to AWS Service Quotas in the AWS Console
2. Search for 'KMS'
3. Select the quota you want to increase (e.g., 'Customer managed KMS keys')
4. Click 'Request quota increase'
5. Enter your desired value
6. Submit the request

Alternatively, use the CLI:

bash

aws service-quotas request-service-quota-increase --service-code kms --quota-code kms-customer-managed-keys --desired-value 150000 --region us-east-1

6Implement exponential backoff in your Terraform code

Add retry logic to your KMS resource if you're hitting transient rate limits:

hcl

resource "aws_kms_key" "example" {
  description             = "KMS key for encryption"
  deletion_window_in_days = 10
  enable_key_rotation     = true

  tags = {
    Name = "my-key"
  }
}

The AWS provider (v3.0+) automatically retries throttling errors. If you're on an older version, upgrade it:

bash

terraform init -upgrade

How to fix Error: Error creating KMS Key: LimitExceededException in Terraform

What this error means

Typical symptoms

Common causes

How to fix "Error: Error creating KMS Key: LimitExceededException"

Advanced notes

Related errors

Official resources & further reading