The installer makes a large number of API calls to the IAM service during destroy code, which can result in account throttling, as evidenced by OCPBUGS-54619. The installer needs to do its part to avoid these failures. We could do things such as:

• reduce number of API calls made in destroy code, particularly for IAM
  • we may be able to safely skip calls, see https://github.com/openshift/installer/pull/9671 for example (this still needs to be confirmed)
  • ensure that we don't continue to make API calls after we have successfully deleted all known resources, this would apply to IAM but also potentially all resources
• Switch AWS jobs to use existing IAM users, which would mean we don't create so many in the CI accounts and then need to iterate over so many when destroying
• We could potentially create IAM users in a "path" which makes searching for them significantly easier (James Russell mentioned some concerns in slack, but they don't seem serious at first glance), but this would also need to be done in the cloud credential operator (CCO).