Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Configure Retry Policy for Cloud Tasks Queues

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that each Cloud Tasks queue has a compliant retry policy to limit the number of retries for failed tasks, preventing infinite loops or excessive downstream service invocations. A retry policy is considered compliant if the "maxAttempts" parameter (i.e., the maximum number of attempts per task in the queue) is set to a value other than -1 (unlimited attempts).

Reliability
Performance
efficiency

Ensuring a retry policy is configured for Cloud Tasks queues is important to control how and when failed tasks are retried. This prevents infinite retries, protects downstream services from excessive requests, and allows for efficient error handling by defining limits, delays, and strategies for retrying failed tasks.

Audit

To determine if a retry policy is configured for your Google Cloud Tasks queues, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Tasks Queues console available at https://console.cloud.google.com/cloudtasks to access the list of Cloud Tasks queues available for the selected GCP project.

04 Click on the name (link) of the queue that you want to examine and select the CONFIGURATION tab to view the configuration settings available for the selected resource.

05 In the Retry parameters section, check the Max attempts attribute value to determine the maximum number of attempts per task in the queue. If the Max attempts attribute value is set to Unlimited, the selected Cloud Tasks queue has no retry policy, meaning tasks are retried indefinitely.

06 Repeat steps no. 4 and 5 for each Cloud Tasks queue available within the selected GCP project.

07 Repeat steps no. 2 - 6 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-project-123123
cc-iot-project-112233

03 Run tasks queues list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the ID (i.e., fully qualified identifier) of each Cloud Tasks queue created for the selected project, in the specified region: 

gcloud tasks queues list
	--project="cc-web-project-123123"
	--location="us-central1"
	--format="default(name)"

04 The command output should return the requested queue IDs: 

---
name: projects/cc-web-project-123123/locations/us-central1/queues/cc-app-notification-queue
---
name: projects/cc-web-project-123123/locations/us-central1/queues/cc-invoice-release-queue

05 Run tasks queues describe command (Windows/macOS/Linux) with the ID of the Cloud Tasks queue that you want to examine as the identifier parameter, to determine the maximum number of attempts per task in the selected queue: 

gcloud tasks queues describe projects/cc-web-project-123123/locations/us-central1/queues/cc-app-notification-queue
	--format="default(retryConfig.maxAttempts)"

06 The command output should return the "maxAttempts" attribute values: 

retryConfig:
	maxAttempts: -1

Check the maxAttempts attribute value returned by the tasks queues describe command output to determine the number of attempts per task. If the maxAttempts attribute value is set to -1 (unlimited attempts), as shown in the example above, the selected Cloud Tasks queue has no retry policy, resulting in indefinite task retries.

07 Repeat steps no. 5 and 6 for each Cloud Tasks queue available in the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that each Cloud Tasks queue within your GCP project has a compliant retry policy limiting the number of retries for failed tasks, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud Tasks Queues console available at https://console.cloud.google.com/cloudtasks to access the list of Cloud Tasks queues available for the selected GCP project.

04 Click on the name (link) of the queue that you want to configure and choose EDIT QUEUE from the top menu to modify the queue configuration.

05 Set the Max attempts field in the Retry configuration section to a positive value to enable the retry policy for the selected Cloud Tasks queue. Choose SAVE to apply the changes.

06 Repeat steps no. 5 and 6 for each Cloud Tasks queue that you want to configure, available within the selected GCP project.

07 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run tasks queues update command (OSX/Linux/UNIX) with the ID of the Cloud Tasks queue that you want to configure as the identifier parameter, to enable the retry policy for the selected queue by setting the --max-attempts parameter to a positive value. The --max-attempts parameter sets the maximum number of attempts per task in the queue: 

gcloud tasks queues update projects/cc-web-project-123123/locations/us-central1/queues/cc-app-notification-queue
	--max-attempts=100

02 The command output should return the update operation status: 

Updated queue [us-central1/cc-app-notification-queue].

03 Repeat steps no. 1 and 2 for each Cloud Tasks queue that you want to configure, available in the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Mar 27, 2025

Related CloudTasks rules