GCP Retry Configuration in Prowler¶
Prowler's GCP Provider uses Google Cloud Python SDK's integrated retry mechanism to automatically retry API calls when encountering rate limiting errors (HTTP 429).
Quick Configuration¶
Using Command Line Flag (Recommended)¶
Using Configuration File¶
Modify prowler/providers/gcp/config.py
:
How It Works¶
- Automatic Detection: Handles HTTP 429 and quota exceeded errors
- Exponential Backoff: Each retry uses randomized exponential backoff
- Centralized Config: All GCP services use the same retry configuration
- Transparent: No additional code needed in services
Error Examples Handled¶
HttpError 429 when requesting https://cloudresourcemanager.googleapis.com/v1/projects/vms-uat-eiger:getIamPolicy?alt=json returned "Quota exceeded for quota metric 'Read requests' and limit 'Read requests per minute'"
Implementation¶
Client-Level Configuration¶
from prowler.providers.gcp.config import DEFAULT_RETRY_ATTEMPTS
client = discovery.build(
service, version, credentials=credentials,
num_retries=DEFAULT_RETRY_ATTEMPTS
)
Request-Level Configuration¶
Services with Retry Support¶
All major GCP services are covered: - Cloud Resource Manager, Compute Engine, IAM - BigQuery, KMS, Cloud Storage, Monitoring - DNS, Logging, Cloud SQL, GKE, API Keys, DataProc
Validation¶
Debug Logging¶
Check for Retry Messages¶
Expected Output¶
Testing in Real Environment¶
- Reduce API Quotas in GCP Console:
- APIs & Services > Quotas
- Reduce "Read requests per minute" for Compute Engine API
-
Reduce "Policy Read Requests per minute" for IAM API
-
Run Prowler with debug logging
- Monitor logs for retry messages
Troubleshooting¶
If experiencing rate limiting:
1. Use --gcp-retries-max-attempts
flag to increase attempts
2. Request quota increases from Google Cloud support
3. Optimize scanning to reduce simultaneous API calls
4. Verify retry functionality with debug logging