Unable to set policy: Specified policy version (1) cannot be less than the existing policy version (3) #88
Comments
dwilliams782
changed the title
|
FWIW, I worked around this problem by removing any conditions from all the projects that were being referenced as part of the roleset, and then applying. It seems Google will jump between policy versions based on whether you have a condition or not. |
|
What version of Vault are you on? That change is included in 1.4.0 and later. |
|
This was tested on v1.4.2 with the latest Terraform providers |
|
An attempt was made to fix this issue in #77 by always requesting the newest IAM policy version, however it appears the issue is still occurring. |
|
#77 specifies version 3 in the get, but not in the set request; I haven't dug into the API spec to find out if it expects a version to be provided but it would make sense with the error. |
|
It should be specifying the policy version in the set request with the version field from the retrieved policy, although maybe more is required or the policy object retrieved is not the one that is eventually set? |
|
@somethingnew2-0 Did you find a solution to the issue ? |
|
Me as well. Tested with 1.4.2 and 1.4.3 |
|
I have not found a solution to this issue unfortunately. |
|
We keep running into this and not sure of the fix so we'd appreciate some help from the google/hashi side. |
Hi,
I can see some relevant issues to this:
#77
#70
We have a project that has a version 3 policy attached (infact most likely we will have several), and updating a roleset fails with the following error:
Now, I appreciate supporting conditionals is a big piece of work, but it would be good to support version 3 policies just for non-conditional IAM rules. The first PR linked appears to be related to getIamPolicy, not setIamPolicy.
The text was updated successfully, but these errors were encountered: