Known Limitations

Known product limitations.

  • Only protect and unprotect operations are supported. The re-protect operation is not supported.

  • The Semi-structured (JSON) data type is not supported in the product.

  • Cloud Function (Gen2) labels must not be updated from the Cloud Run Services console. When updating labels for a GCP Cloud Function (Gen2) through the Cloud Run Services console, GCP creates a new Cloud Run revision with the updated labels, but the underlying Cloud Function retains the old labels. Because the policy agent reads labels from the Cloud Function definition (not the Cloud Run revision), it will not detect the label change and will not trigger a policy update.

    Cloud Run labels vs Cloud Function labels

    To avoid this issue, always update labels using one of the following methods:

    • Cloud Run Functions console — Navigate to Cloud Run Functions, select the function, and update labels there. This ensures both the Cloud Function and its underlying Cloud Run revision are updated consistently.
    • Terraform — Update the labels variable in your Terraform configuration and run terraform apply.
    • gcloud CLI — Use gcloud functions deploy with the updated --update-labels flag.

    If labels were already updated incorrectly through the Cloud Run Services console, redeploy the function using one of the methods above to synchronize the labels and trigger a policy update.


Last modified : April 20, 2026