Search code examples
google-admin-sdkgoogle-directory-api

Maximum Size of patch to customSchemas?

I'm having an issue with the SDK. I followed this guide to get SSO with AWS. I'm able to add 4 roles using my code, but after that I get a 413.

My schema contains all of the roles under the SSO role array. So, each patch I make requires me to resubmit the entire role array according to the docs:

Note about arrays: Patch requests that contain arrays replace the existing array with the one you provide. You cannot modify, add, or delete items in an array in a piecemeal fashion.

Python Snippet:

service.users().patch(userKey=email, body=new_custom_schema).execute()

new_custom_schema is a dictionary containing all nodes including and below customSchema.

Error

googleapiclient.errors.HttpError: <HttpError 413 when requesting https://www.googleapis.com/admin/directory/v1/users/user@domain.com?alt=json returned "Profile quota is exceeded.: Data is too large for">

Sample Schema Insert:

{
  "fields":
  [
    {
      "fieldName": "role",
      "fieldType": "STRING",
      "readAccessType": "ADMINS_AND_SELF",    
      "multiValued": true
    }
  ],
  "schemaName": "SSO"
}

Sample User Patch:

{
  "customSchemas": {
    "SSO": {
      "role": [
        {
          "customType": "AWSaccount1ReadOnly", 
          "type": "work", 
          "value": "arn:aws:iam::12345678910:role/gapps_readonly,arn:aws:iam::12345678910:saml-provider/GoogleApps"
        }, 
        {
          "customType": "AWSaccount1Admin", 
          "type": "work", 
          "value": "arn:aws:iam::12345678910:role/gapps_admin,arn:aws:iam::12345678910:saml-provider/GoogleApps"
        }, 
        {
          "customType": "AWSaccount2ReadOnly", 
          "type": "work", 
          "value": "arn:aws:iam::5101520253035:role/gapps_readonly,arn:aws:iam::5101520253035:saml-provider/GoogleApps"
        }, 
        {
          "customType": "AWSaccount2Admin", 
          "type": "work", 
          "value": "arn:aws:iam::5101520253035:role/gapps_admin,arn:aws:iam::5101520253035:saml-provider/GoogleApps"
        }, 
        {
          "customType": "AWSaccount3ReadOnly", 
          "type": "work", 
          "value": "arn:aws:iam::3691215182124:role/gapps_readonly,arn:aws:iam::3691215182124:saml-provider/GoogleApps"
        }, 
        {
          "customType": "AWSaccount3Admin", 
          "type": "work", 
          "value": "arn:aws:iam::3691215182124:role/gapps_admin,arn:aws:iam::3691215182124:saml-provider/GoogleApps"
        }
      ]
    }
  }
}

In this example, I'm able to submit the first 5 without issue

Any ideas would be greatly appreciated.

Solution

  • I submitted a support ticket to Google and found out that there is a 4KB (~1000 characters) limit on the multivalued field in a custom schema.

    So, there are a couple options:

    1. Choose a different SAML IdP
    2. Create multiple SAML Apps as needed to work around the limit.

    [Update]

    You can't have multiple SAML apps with the same entity ID.

    [Update 2]

    The new limit seems to be roughly double the old limit. Somewhere between 2087 - 2315 characters

    [Update 3]

    It looks like this limit has been significantly increased. I have not run out of space yet.