policy config_error ai_generated true

Resource 'projects/my-project/global/images/my-image' was disallowed by policy. Policy: 'constraints/compute.restrictNonCompliantResource'. Reason: 'The resource location 'eastus2' is not allowed for this project.'

ID: policy/gcp-resource-location-restriction-violation

Also available as: JSON · Markdown · 中文
85%Fix Rate
85%Confidence
1Evidence
2024-01-05First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Google Cloud SDK 450.0.0 active
Google Cloud Console 2024-03 active

Root Cause

A Google Cloud Organization Policy constraint restricts resource creation to specific locations (e.g., only us-central1), but the resource is being created in a non-compliant region like eastus2.

generic

中文

Google Cloud 组织策略约束限制了资源创建到特定位置(例如仅 us-central1),但资源正在非合规区域(如 eastus2)创建。

Official Documentation

https://cloud.google.com/resource-manager/docs/organization-policy/restricting-locations

Workarounds

  1. 90% success Check the allowed locations for the project using: gcloud resource-manager org-policies describe constraints/compute.restrictNonCompliantResource --project=my-project, then create the resource in an allowed region. 
    Check the allowed locations for the project using: gcloud resource-manager org-policies describe constraints/compute.restrictNonCompliantResource --project=my-project, then create the resource in an allowed region.
  2. 85% success Update the organization policy to add the desired location using: gcloud resource-manager org-policies set-policy --project=my-project policy.yaml, where policy.yaml includes the allowed locations. 
    Update the organization policy to add the desired location using: gcloud resource-manager org-policies set-policy --project=my-project policy.yaml, where policy.yaml includes the allowed locations.
  3. 70% success If the policy is inherited from the organization, request an exception from the GCP admin to allow the specific location. 
    If the policy is inherited from the organization, request an exception from the GCP admin to allow the specific location.

中文步骤

  1. 检查项目允许的位置:gcloud resource-manager org-policies describe constraints/compute.restrictNonCompliantResource --project=my-project,然后在允许的区域创建资源。
  2. 更新组织策略以添加所需位置:gcloud resource-manager org-policies set-policy --project=my-project policy.yaml,其中 policy.yaml 包含允许的位置。
  3. 如果策略从组织继承,请向 GCP 管理员请求异常以允许特定位置。

Dead Ends

Common approaches that don't work:

  1. 90% fail

    The policy applies to all resources in the project; only allowed locations will succeed.

  2. 95% fail

    The same policy will block the creation again.

  3. 70% fail

    The policy may be inherited from the organization level and apply to all projects.