Skip to content

Error 409 setting IAM policy for artifactregistry repository - There were concurrent policy changes #25305

New issue
New issue
Closed
Closed
Error 409 setting IAM policy for artifactregistry repository - There were concurrent policy changes#25305
#25473 (+4)
Labels
bugforward/reviewIn review; remove label to forwardservice/artifactregistry
@tamir-deep

Description

@tamir-deep
tamir-deep
opened on Nov 25, 2025

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to a user, that user is claiming responsibility for the issue.
  • Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.12.2
on linux/amd64

  • provider registry.terraform.io/hashicorp/google v7.12.0

Affected Resource(s)

google_artifact_registry_repository_iam_member

Terraform Configuration

data "google_artifact_registry_repository" "mgmt" {
  project       = local.gar_mgmt_project
  location      = local.gar_mgmt_location
  repository_id = local.gar_mgmt_repository_id
}

resource "google_artifact_registry_repository_iam_member" "this" {
  project    = data.google_artifact_registry_repository.mgmt.project
  location   = data.google_artifact_registry_repository.mgmt.location
  repository = data.google_artifact_registry_repository.mgmt.name
  role       = "roles/artifactregistry.reader"
  member     = google_service_account.sa.member
}

Debug Output

No response

Expected Behavior

The IAM policy for the Artifact Registry repository will be updated (new member is added/removed upon apply/destroy).

Actual Behavior

Error applying IAM policy for artifactregistry repository "projects/REDACTED/locations/REDACTED/repositories/REDACTED": Error setting IAM policy for artifactregistry repository "projects/REDACTED/locations/REDACTED/repositories/REDACTED": googleapi: Error 409: There were concurrent policy changes. Please retry the whole read-modify-write with exponential backoff. The request's ETag '\007\006DjnN\255E' did not match the current policy's ETag '\007\006Dj\347\332\\264'
with google_artifact_registry_repository_iam_member.this,
on gar.tf line 45, in resource "google_artifact_registry_repository_iam_member" "this":
45: resource "google_artifact_registry_repository_iam_member" "this"

Steps to reproduce

  1. terraform apply

Important Factoids

This Terraform module may run simultaneously and this is where we mostly noticed this issue.

Rerunning terraform apply works fine.

Possibly related to #21299 though that issue and its fix #21315 seems to be revolving around "google_project_iam_*" resources.

Seems to me that if we run apply, the data source is read with certain ETAG which is then used later on.
If another TF apply (or even directly editing the GAR repository IAM policy) AFTER the data source was read but BEFORE the resource google_artifact_registry_repository_iam_member is getting created, it will throw this error.

References

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugforward/reviewIn review; remove label to forwardservice/artifactregistry

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions