资源 'projects/my-project/global/images/my-image' 被策略禁止。策略:'constraints/compute.restrictNonCompliantResource'。原因:资源位置 'eastus2' 不允许用于此项目。
Resource 'projects/my-project/global/images/my-image' was disallowed by policy. Policy: 'constraints/compute.restrictNonCompliantResource'. Reason: 'The resource location 'eastus2' is not allowed for this project.'
ID: policy/gcp-resource-location-restriction-violation
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Google Cloud SDK 450.0.0 | active | — | — | — |
| Google Cloud Console 2024-03 | active | — | — | — |
根因分析
Google Cloud 组织策略约束限制了资源创建到特定位置(例如仅 us-central1),但资源正在非合规区域(如 eastus2)创建。
English
A Google Cloud Organization Policy constraint restricts resource creation to specific locations (e.g., only us-central1), but the resource is being created in a non-compliant region like eastus2.
官方文档
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-locations解决方案
-
检查项目允许的位置:gcloud resource-manager org-policies describe constraints/compute.restrictNonCompliantResource --project=my-project,然后在允许的区域创建资源。
-
更新组织策略以添加所需位置:gcloud resource-manager org-policies set-policy --project=my-project policy.yaml,其中 policy.yaml 包含允许的位置。
-
如果策略从组织继承,请向 GCP 管理员请求异常以允许特定位置。
无效尝试
常见但无效的做法:
-
90% 失败
The policy applies to all resources in the project; only allowed locations will succeed.
-
95% 失败
The same policy will block the creation again.
-
70% 失败
The policy may be inherited from the organization level and apply to all projects.