TechQA.

Creating IAM members in GCP throws error The size of the policy is too large

2.9k views Asked by At

When I try to create a new IAM user in GCP, I get the following error

Request "Create IAM Members roles/dns.admin serviceAccount:[email protected] 
for \"project \\\"projectId\\\"\"" returned error:
 Error applying IAM policy for project "projectId": Error setting IAM policy for project "projectId": googleapi: Error 400:
 The size of the policy is too large.
 Consider removing or merging some of the bindings or if using conditions remove 
any lengthy conditions., badRequest

Above shown is the output from terraform apply command. When I try to use gcloud cli, I get a similar output as well When I try to create it through GCP console, it just shows "backend error"

google-cloud-platform google-iam terraform-provider-gcp google-cloud-iam
Original Q&A
1

There are 1 answers

2
Cloudkollektiv On BEST ANSWER

Most likely you hit one of the quotas of IAM. All the bindings you specified in Terraform are uploaded every time you perform an update or create. As the error says you are probably creating a lot of bindings that could be merged together. I suggest trying to find which quota limit you are reaching and why, here are some debugging commands:

Number of iam bindings:

gcloud projects get-iam-policy $PROJECT_ID --format=json | jq '.bindings | length'

Total size of the bindings:

gcloud projects get-iam-policy $PROJECT_ID --format=json | jq '.bindings' > iam.json
ls -l iam.json

Occurence of each member in all the bindings:

gcloud projects get-iam-policy $PROJECT_ID --format=json | jq ".bindings[].members" | jq -s flatten

Then, you could reduce the number of bindings by merging. For example, this binding:

{
  "bindings": [
    {
      "members": [
        "user:[email protected]"
      ],
      "role": "roles/owner"
    },
    {
      "members": [
        "user:[email protected]"
      ],
      "role": "roles/owner"
    }
  ],
  "etag": "BwUjMhCsNvY=",
  "version": 1
}

Could be merged to this:

{
  "bindings": [
    {
      "members": [
        "user:[email protected]",
        "user:[email protected]"
      ],
      "role": "roles/owner"
    }
  ],
  "etag": "BwUjMhCsNvY=",
  "version": 1
}

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in GOOGLE-IAM

Related Questions in TERRAFORM-PROVIDER-GCP

Related Questions in GOOGLE-CLOUD-IAM

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions