203101 - Failed to Update Cloud Armor Security Policy Rule
Agent error code #203101 indicates that the agent could not update (patch) the Cloud Armor security policy rule in GCP. The error message includes additional detail about the underlying cause (e.g., authentication, authorization, or timeout).
This error occurs during the PATCH phase of a grant or revocation operation, after the rule was successfully retrieved.
Common causes include:
- The service account lacks
compute.securityPolicies.updatepermission (see also #203002) - The security policy or rule was deleted between the GET and PATCH operations
- A GCP organization policy is preventing modifications to security policies
- The GCP API returned an error during the update
Steps to Resolve
Check IAM Permissions
- Ensure the service account has the
compute.securityPolicies.updatepermission - The
compute.securityPolicies.getpermission alone is not sufficient — update permission is also required - See error #203002 for detailed IAM troubleshooting steps
Verify the Security Policy and Rule Still Exist
- In the GCP Console, navigate to Network Security > Cloud Armor
- Confirm the security policy and its rule at the configured priority have not been deleted
Check Organization Policies
- Some GCP organizations enforce policies that restrict modifications to security policies
- Contact your GCP organization administrator if restrictions are in place