Reputation: 134
There were concurrent policy changes. Please retry the whole read-modify-write with exponential backoff
POST METHOD URL
https://cloudresourcemanager.googleapis.com/v1/projects/project-name:setIamPolicy
Request:
{
"resource": "projects/project-name",
"policy": {
"bindings": [
{
"role": "roles/resourcemanager.organizationAdmin",
"members": [
"user:[email protected]"
]
}
],
"etag": "BwWWja0YfJA=",
"version": 3
}
}
Response:
{
"error": { "code": 409, "message": "There were concurrent policy changes. Please retry the whole read-modify-write with exponential backoff.", "status": "ABORTED" }
}
Upvotes: 3
Views: 7134
Answers (4)
Reputation: 91
"etag": changes after every update. Make sure you are using the most recent one from get command
Upvotes: 0
Reputation: 135
I was able to fix this issue by removing
"etag": "BwWWja0YfJA=",
"version": 3
from the template when using gcloud projects set-iam-policy command. It will ask you to overwrite the existing policy before committing the changes
Upvotes: 0
Reputation: 409
Documentation recommends using the read-modify-write pattern to update policy for a resource.
Reading the current policy by calling getIamPolicy(). Editing the returned policy, either by using a text editor or programmatically, to add or remove any desired members and their role grants. Writing the updated policy by calling setIamPolicy().
Looks like in your case the policy you're trying to set and the policy that is currently active on the resource have diverged. One of the ways this can happen is if you did:
- getIamPolicy() > policy.json
- addIamPolicyBinding() or removeIamPolicyBinding()
- setIamPolicy() policy.json
The policy version on the resource after #2, is out of sync with what #3 is trying to set, and so it throws an exception. To confirm you can compare the etag field in the policy your strying to set with the etag currently on the resource. There should be a mismatch.
Upvotes: 4
Reputation: 4961
This means that more than one change was performed at the same time. You should try to perform only one request to change policies at the same time.
Implementing Exponential backoff should help you with this error. It is as simple as handle your request retry with a time magnitude of n+1 + random_number_milliseconds seconds and retry the request
Upvotes: 1
Related Questions
- GCP deploy error: Creating Revision interrupted
- Terraform state lock not able to release in GCP backend
- Terraform on GCP - Error 409: Requested entity already exists
- Terraform GCS backend writing .tflock failed. 403 access denied
- Terraform always tries to replace gcp compute instance without changes
- Terraform Forwarding Rule Quota Exceeded
- Terraform google_proejct_iam_member giving Error 400: Policy members must be of the form "<type>:<value>"., badRequest
- Terraform issues with waiting for GCP infrastructure changes to propagate
- How to resolve the terraform error "timeout while waiting for state to become 'done: true' (last state: 'done: false', timeout: 10m0s)"?
- Terraform GCP - Error waiting for Setting usage export bucket.: Required 'read' permission for 'gcp-bucket'