Github 对 Google Cloud Functions 的操作“Constraint constraints/gcp.resourceLocations violated for projects/GOOGLE_PROJECT_ID attempted GenerateU

Question

I am trying to build a Python application that is stored in Github that I want to run on Google Cloud Functions.

I have followed this tutorial: https://blog.leandrotoledo.org/deploying-google-cloud-functions-using-github-actions-and-workload-identity-authentication/

.github/workflows/main.yaml

looks like this (with workload_identity_provider and service_account changed to my walues)

# This is a basic workflow to help you get started
name: CD

# Controls when the workflow will run
on:
  # Triggers the workflow on push or pull request events but only for the main branch
  push:
    branches: [main]
  pull_request:
    branches: [main]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "deploy"
  deploy:
    # The type of runner that the job will run on
    runs-on: ubuntu-latest

    # Add "id-token" with the intended permissions.
    permissions:
      contents: "read"
      id-token: "write"

    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      - uses: actions/checkout@v2

      - id: "auth"
        name: "Authenticate to Google Cloud"
        uses: "google-github-actions/auth@v0"
        with:
          # Replace with your Workload Identity Provider Location
          workload_identity_provider: "$WORKLOAD_IDENTITY_PROVIDER_LOCATION"
          # Replace with your GitHub Service Account
          service_account: "$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com"

      - id: "deploy"
        uses: "google-github-actions/deploy-cloud-functions@v0"
        with:
          # Name of the Cloud Function, same as the entry point name
          name: "helloWorld"
          # Runtime to use for the function
          runtime: "python3.10"

      # Example of using the output
      - id: "test"
        run: 'curl "${{ steps.deploy.outputs.url }}"'

This gives me the following error at Github Actions:

Run google-github-actions/deploy-cloud-functions@v0
  with:
    name: helloWorld
    runtime: python3.10
    region: us-central1
    source_dir: ./
    timeout: 60s
    https_trigger_security_level: security_level_unspecified
    event_trigger_retry: false
    deploy_timeout: 300
    docker_registry: container-registry
  env:
    CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/helloWorld/helloWorld/gha-creds-xxx.json
    GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/helloWorld/helloWorld/gha-creds-xxx.json
    GOOGLE_GHA_CREDS_PATH: /home/runner/work/helloWorld/helloWorld/gha-creds-xxx.json
    CLOUDSDK_CORE_PROJECT: engineering-infra
    CLOUDSDK_PROJECT: engineering-infra
    GCLOUD_PROJECT: engineering-infra
    GCP_PROJECT: engineering-infra
    GOOGLE_CLOUD_PROJECT: engineering-infra
Extracted project ID 'engineering-infra' from $GCLOUD_PROJECT
Created zip file from './' at '/tmp/cfsrc-xxx.zip'
Error: google-github-actions/deploy-cloud-functions failed with: failed to upload zip file: Failed to POST https://cloudfunctions.googleapis.com/v1/projects/engineering-infra/locations/us-central1/functions:generateUploadUrl: (400) {
  "error": {
    "code": 400,
    "message": "The request has violated one or more Org Policies. Please refer to the respective violations for more information.",
    "status": "FAILED_PRECONDITION",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.PreconditionFailure",
        "violations": [
          {
            "type": "constraints/gcp.resourceLocations",
            "subject": "orgpolicy:projects/engineering-infra",
            "description": "Constraint constraints/gcp.resourceLocations violated for projects/engineering-infra attempting GenerateUploadUrlActionV1 with location set to us-central1. See https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints for more information."
          }
        ]
      }
    ]
  }
}

I am located in North Europe so I would want to use Findland.

Answer 1

There can be multiple Scenarios which could lead to the error you are facing.

Could you please verify if your service account has enough permissions like iam.serviceAccountUser and iam.cloudFunctionsDeveloper role on project? You can check the details in document .

Have you checked the Stackoverflow linked in the blog/tutorial shared above?

Another case could be, If the Organization Policy: Resource Location Restriction does not allow a multi-region (such as EU, US or Asia that contains two or more geographic places) but allows the region where you want to deploy function in (like us-central1-locations), then the function will fail to deploy with this error.

If this is relatable for your use case, you can either allow a multi-region in your Organization Policy: Resource Location Restriction or you can temporarily change Resource Location constraint to allow a multi-region followed by deploying function and then editing the Organization Policy back to regional restrictions. For the details you can check document