This document describes the quotas for OS Login, which define the maximum number of requests that your project can make to the OS Login API .
A quota restricts how much of a shared Google Cloud resource your Google Cloud project can use, including hardware, software, and network components. Therefore, quotas are a part of a system that does the following:
- Monitors your use or consumption of Google Cloud products and services.
- Restricts your consumption of those resources, for reasons that include ensuring fairness and reducing spikes in usage.
- Maintains configurations that automatically enforce prescribed restrictions.
- Provides a means to request or make changes to the quota.
In most cases, when a quota is exceeded, the system immediately blocks access to the relevant Google resource, and the task that you're trying to perform fails. In most cases, quotas apply to each Google Cloud project and are shared across all applications and IP addresses that use that Google Cloud project.
Request Quotas
Any requests you make to the OS Login API count towards your OS Login quota. OS Login usage through the Google Cloud console or Google Cloud CLI also counts towards your quota because these services use the OS Login API. OS Login quotas apply to your entire project and are separate for each project.
Each quota group is counted separately, so you can achieve the maximum limit in each group simultaneously. Quotas are enforced at intervals of every 60 seconds. If you reach a group's enforced maximum anytime within 60 seconds, you need to wait for the next interval for your quota to refresh before you can make more requests in that group.
Per user quotas
- Description: Quota for
*.get
, and*.getLoginProfile
methods. - Metric:
oslogin.googleapis.com/read_requests
View this quota in the Google Cloud console:
- Description: Limit for
*.create
,*.patch
,*.delete
and*.importSshPublicKey
methods. - Metric:
oslogin.googleapis.com/write_requests
View this quota in the Google Cloud console:
- Description: Limit for initiating OS Login two-factor authentication attempts.
- Metric:
oslogin.googleapis.com/start_session_requests
View this quota in the Google Cloud console:
- Description: Limit for completing OS Login two-factor authentication attempts.
- Metric:
oslogin.googleapis.com/continue_session_requests
View this quota in the Google Cloud console:
Per region quotas
- Description: Limit for calls to the metadata server
for OS Login connection authorization checks and user lookups.
OS Login makes calls to the metadata server to retrieve OS Login users during the following operations:
- When a VM is created. OS Login caches the result.
- When a user attempts to connect to a VM.
- When system processes search for a user that isn't in the cache.
- Metric:
oslogin.googleapis.com/metadata_server_requests
View this quota in the Google Cloud console:
- Description: Limit for calls to the metadata server
for OS Login POSIX group lookups. If VMs don't have OS
Login groups
configured, metadata server groups quota might be
consumed, but consumption has no impact on VM performance.
OS Login makes calls to the metadata server to retrieve OS Login groups during the following operations:
- When a VM is created. OS Login caches the result.
- When system processes search for a group that isn't in the cache.
- Metric:
oslogin.googleapis.com/metadata_server_groups_requests
View this quota in the Google Cloud console:
Manage quotas
To manage the quotas for your project, do the following:
- Follow the best practices for preserving API rate limits .
-
Use the Google Cloud console to view and edit quotas:
- If you want to quotas, see Capping usage .
- If you need higher quotas than the default maximum, request a higher quota limit . In your request, add information showing the consumption rate in your environment. These include OS Login audit logs or other error messages stating that the rate limit is exceeded.
What's next?
- Learn more about working with Quotas .
- Learn more about OS Login .