问题描述
Request "Create IAM Members roles/dns.admin serviceAccount:[email protected] for \"project \\\"projectId\\\"\"" returned error: Error applying IAM policy for project "projectId": Error setting IAM policy for project "projectId": googleapi: Error 400: The size of the policy is too large. Consider removing or merging some of the bindings or if using conditions remove any lengthy conditions.,badRequest@H_502_5@上面显示的是terraform apply命令的输出。当我尝试使用gcloud cli时,我也会得到类似的输出 当我尝试通过GCP控制台创建它时,它只会显示“后端错误”
解决方法
您很可能达到了IAM的quotas之一。每次执行更新或创建时,都会上载您在Terraform中指定的所有绑定。如错误所述,您可能正在创建许多可以合并在一起的绑定。我建议尝试查找您要达到的配额限制以及原因,这是一些调试命令:
iam绑定数:
gcloud projects get-iam-policy $PROJECT_ID --format=json | jq '.bindings | length'绑定的总大小:
gcloud projects get-iam-policy $PROJECT_ID --format=json | jq '.bindings' > iam.json ls -l iam.json所有绑定中每个成员的出现:
gcloud projects get-iam-policy $PROJECT_ID --format=json | jq ".bindings[].members" | jq -s flatten然后,您可以通过合并减少绑定数。例如,此绑定:
{ "bindings": [ { "members": [ "user:[email protected]" ],"role": "roles/owner" },{ "members": [ "user:[email protected]" ],"role": "roles/owner" } ],"etag": "BwUjMhCsNvY=","version": 1 }可以合并到此:
{ "bindings": [ { "members": [ "user:[email protected]","user:[email protected]" ],"version": 1 }