在 GCP 中创建 IAM 成员抛出错误策略的大小太大
Creating IAM members in GCP throws error The size of the policy is too large
当我尝试在 GCP 中创建新的 IAM 用户时,出现以下错误
Request "Create IAM Members roles/dns.admin serviceAccount:dns-mngt-sa-prod@pprojectId.iam.gserviceaccount.com
for \"project \\"projectId\\"\"" returned error:
Error applying IAM policy for project "projectId": Error setting IAM policy for project "projectId": googleapi: Error 400:
The size of the policy is too large.
Consider removing or merging some of the bindings or if using conditions remove
any lengthy conditions., badRequest
上面显示的是 terraform apply 命令的输出。当我尝试使用 gcloud cli 时,我也得到了类似的输出
当我尝试通过 GCP 控制台创建它时,它只显示“后端错误”
您很可能击中了 IAM 的 quotas 之一。每次执行更新或创建时,都会上传您在 Terraform 中指定的所有绑定。正如错误所说,您可能正在创建许多可以合并在一起的绑定。我建议尝试找出您达到的配额限制以及原因,这里有一些调试命令:
iam 绑定数量:
gcloud projects get-iam-policy $PROJECT_ID --format=json | jq '.bindings | length'
绑定的总大小:
gcloud projects get-iam-policy $PROJECT_ID --format=json | jq '.bindings' > iam.json
ls -l iam.json
每个成员在所有绑定中的出现次数:
gcloud projects get-iam-policy $PROJECT_ID --format=json | jq ".bindings[].members" | jq -s flatten
然后,您可以通过合并来减少绑定的数量。例如,此绑定:
{
"bindings": [
{
"members": [
"user:user-a@example.com"
],
"role": "roles/owner"
},
{
"members": [
"user:user-b@example.com"
],
"role": "roles/owner"
}
],
"etag": "BwUjMhCsNvY=",
"version": 1
}
可以合并到这个:
{
"bindings": [
{
"members": [
"user:user-b@example.com",
"user:user-a@example.com"
],
"role": "roles/owner"
}
],
"etag": "BwUjMhCsNvY=",
"version": 1
}
当我尝试在 GCP 中创建新的 IAM 用户时,出现以下错误
Request "Create IAM Members roles/dns.admin serviceAccount:dns-mngt-sa-prod@pprojectId.iam.gserviceaccount.com
for \"project \\"projectId\\"\"" returned error:
Error applying IAM policy for project "projectId": Error setting IAM policy for project "projectId": googleapi: Error 400:
The size of the policy is too large.
Consider removing or merging some of the bindings or if using conditions remove
any lengthy conditions., badRequest
上面显示的是 terraform apply 命令的输出。当我尝试使用 gcloud cli 时,我也得到了类似的输出 当我尝试通过 GCP 控制台创建它时,它只显示“后端错误”
您很可能击中了 IAM 的 quotas 之一。每次执行更新或创建时,都会上传您在 Terraform 中指定的所有绑定。正如错误所说,您可能正在创建许多可以合并在一起的绑定。我建议尝试找出您达到的配额限制以及原因,这里有一些调试命令:
iam 绑定数量:
gcloud projects get-iam-policy $PROJECT_ID --format=json | jq '.bindings | length'
绑定的总大小:
gcloud projects get-iam-policy $PROJECT_ID --format=json | jq '.bindings' > iam.json
ls -l iam.json
每个成员在所有绑定中的出现次数:
gcloud projects get-iam-policy $PROJECT_ID --format=json | jq ".bindings[].members" | jq -s flatten
然后,您可以通过合并来减少绑定的数量。例如,此绑定:
{
"bindings": [
{
"members": [
"user:user-a@example.com"
],
"role": "roles/owner"
},
{
"members": [
"user:user-b@example.com"
],
"role": "roles/owner"
}
],
"etag": "BwUjMhCsNvY=",
"version": 1
}
可以合并到这个:
{
"bindings": [
{
"members": [
"user:user-b@example.com",
"user:user-a@example.com"
],
"role": "roles/owner"
}
],
"etag": "BwUjMhCsNvY=",
"version": 1
}