Google Cloud Spanner

DEADLINE_EXCEEDED on Cloud Spanner: what causes it and how to fix

By Sai Kiran Pandrala · Last verified: 2026-05-31 · Source: community Q&A, Google Cloud docs, Google Cloud Community

At a glance
ServiceGoogle Cloud Spanner
CloudGoogle Cloud (GCP)
Guide typeProcedure
Skill levelIntermediate to advanced
Time15 - 60 minutes depending on account size

Engineers running Google Cloud Spanner hit DEADLINE_EXCEEDED on Cloud Spanner, what causes it and how to fix often enough that there is a stable fix pattern. This page captures it in the order Google Cloud support would run it during a real incident.

What deadline_exceeded on cloud spanner, what causes it and how to fix actually involves on Google Cloud Spanner

Real-world context. Budget honestly for ~Rs 0 INR for the fix, support adds Rs 2,500 to Rs 80,000 INR per month (around $30 to $960 USD/month), because the cheap path looks tempting until a part shows up wrong. You will burn ~15 to 45 minutes hands-on and roughly ~1 to 4 hours including IAM review and validation once verification is done. Before you touch anything, line up an Owner or relevant IAM role, gcloud CLI signed in, and a Cloud Logging filter ready, those three are what saves you when the first attempt does not stick.

The DEADLINE_EXCEEDED error from AWS typically surfaces with the message "Operation did not complete within deadline". The error code itself is what you grep for in AWS re:Post or in AWS Support cases, not the human-readable line.

On Cloud Spanner, this most often comes from one of three causes: a missing or restrictive IAM permission, a service-level limit you have hit, or a transient AWS-side capacity issue. The fix path differs by which.

The rest of this page is the structured fix path. Start with diagnose, then remediation, then the automation options so you do not have to do this by hand the next time it surfaces. Verify and safety sections at the end are the discipline that keeps the fix from regressing in production.

Diagnose first, fix second

Check the Google Cloud Service Health at status.cloud.google.com and the per-product status board for ongoing service events in your region. About one in ten user-reported outages turn out to be region-scoped Google Cloud service degradation already being tracked. Cloud Service Health also exposes an API and Eventarc events, so you can wire a Lambda hook that pages on-call only when the failure correlates with an active Cloud Service Health event in the same region and service.

Start by capturing the exact Google Cloud error string. The Cloud Console truncates messages in popups, but Cloud Logging keeps the full record in protoPayload.status and protoPayload.methodName. The camelCase error code (e.g. AccessDenied, InsufficientInstanceCapacity, ConditionalCheckFailedException) is the thing you grep for in Google Cloud Community and StackOverflow, not the human-readable sentence next to it. Paste the code into the re:Post search bar in quotes and you will usually land on at least one Google-staff-verified answer within the first three results.

Pull the Google Cloud request ID from the response headers: x-goog-request-id from response headers (or the insertId field in Cloud Logging for asynchronous calls). Google Cloud Support needs these IDs to look up your call in their internal logs - without them, the first reply on a ticket will ask you to reproduce the call and capture them. Save them with a timestamp; Google Cloud Support cannot retrieve calls older than 90 days for most services.

Solution-focused remediation path

If quotas are suspect, the Quotas page in Cloud Console (IAM & Admin > Quotas) console shows current usage and the active limit side by side. Request increases through Quotas page in Cloud Console (IAM & Admin > Quotas), not through Support tickets - quota dashboard requests usually approve faster (often within minutes for soft limits) and they are auditable in Cloud Audit Logs. Set up Quotas page in Cloud Console (IAM & Admin > Quotas) + Cloud Monitoring alert policys at 80 percent usage so you get notified before you hit the wall.

If networking is suspect, use Network Intelligence Connectivity Tests. It is the only tool that simulates the full ENI-to-ENI path including firewall rules, hierarchical firewall policies, routes, and VPC Service Controls perimeters in one call. Manual trace is slower and misses transitive issues. The analyzer charges $0.10 per analysis - cheaper than a 30-minute call with your network team.

If the issue points at IAM, do not start by adding * to a policy. Use IAM Policy Troubleshooter and IAM Recommender against the failed action to see the minimum scope. Adding * is the fastest way to fail your next Google Cloud Architecture Framework security review, and it usually does not even fix the issue because the explicit deny is often coming from a higher level (Org Policy, RCP, or permission boundary), not a missing allow.

Automate this fix so you do not do it twice

Wire the fix into Eventarc for self-healing

If the failure mode is recurring, automate the remediation instead of the diagnosis. Eventarc Scheduler or rules that watch Cloud Logging events for the specific error code can invoke a Lambda that runs the same fix you would run by hand. The Lambda must be idempotent (re-running it on already-healthy resources must be a no-op) and must emit a Cloud Monitoring metric so you can track how often the auto-fix fires. A spike in auto-fix invocations is itself a signal worth alerting on.

# Eventarc rule pattern (JSON)
{ "source": ["aws.google"], "detail-type": ["Google Cloud API Call via Cloud Audit Logs"], "detail": { "errorCode": ["AccessDenied", "ThrottlingException"] }
}

Automate the fix with the gcloud CLI

The CLI one-liner pattern for Google Cloud Spanner operations is roughly: gcloud google describe RESOURCE --format=json --filter ... to read state, gcloud google update RESOURCE --quiet to apply the change, and gcloud google describe RESOURCE --format=json --filter ... again to verify. Wrap it in a shell script that sets a region variable at the top and exits on first error with set -euo pipefail so a partial run does not leave the account in a half-fixed state.

# Template - replace placeholders with your account specifics
export GOOGLE_CLOUD_REGION=us-central1
export GOOGLE_CLOUD_PROJECT=prod-project
gcloud google describe RESOURCE --format=json --filter 'Resources[?Status==`FAILED`].[Id,Reason]' --output table
gcloud google modify-... --resource-id RESOURCE_ID --no-dry-run
gcloud google describe RESOURCE_ID --query 'Status'

Automate the fix with Python and boto3

For anything you do more than twice, write a small Python script. The boto3 pattern below uses paginators (so it does not blow up on accounts with thousands of resources), explicit region binding, and a dry-run flag that defaults to True. Keep the script under 100 lines; if it grows beyond that, you are building a tool and should put it behind a Lambda with proper logging.

import boto3, sys
DRY_RUN = '--apply' not in sys.argv
client = boto3.client('google', region_name='us-east-1')
paginator = client.get_paginator('describe_...')
for page in paginator.paginate(): for item in page.get('Items', []): if item.get('Status') == 'FAILED': if DRY_RUN: print(f'[dry-run] would fix {item["Id"]}') else: client.modify_...(ResourceId=item['Id']) print(f'fixed {item["Id"]}')

Common pitfalls and what to watch for

A subtle pitfall on Google Cloud Spanner is that the Cloud Console and the SDK can disagree about resource state during a configuration change. Console UI is cached for performance and may show the old config for up to 10 minutes after you change it via API or Deployment Manager or Terraform. Always confirm with describe-* CLI calls during a change window, not with screenshots from the Console.

The other pitfall: assuming that an automated remediation is correct because it succeeded. A Lambda that fires on a Cloud Monitoring alert policy and runs a remediation step should also publish a metric for every remediation; sudden surges in auto-fix invocations are themselves an outage signal. Otherwise you can hide a slow-burn regression behind a quiet remediation loop for weeks.

Verify the fix worked

Safety, rollback, blast radius

FAQ

How long does deadline_exceeded on cloud spanner. what causes it and how to fix typically take on Google Cloud?
For most Google Cloud Spanner environments, 15 to 60 minutes including verification. Large multi-account setups, anything touching Org Policys at the Organizations level, or cross-region replication can stretch to half a day because Google Cloud has to wait for replication and IAM session caches.
Is there a rollback path?
Yes for most Google Cloud Spanner changes. Export the existing config to JSON via gcloud google describe-... first, then commit it before you change anything. A few operations are one-way (Cloud KMS key deletion past the pending window, region migration, account closure). Check the Google Cloud doc for the specific API before you commit.
Will this affect dependent Google Cloud services?
Often yes. Google Cloud Spanner resources are usually referenced by other workloads (Cloud Run services, GKE workloads, IAM-bound apps, Cloud CDN origins, downstream pipelines). Use IAM Access Analyzer + Cloud Audit Logs to enumerate consumers before changing a shared resource.
What if my Cloud Console layout does not match these steps?
Cloud Console UI moves quarterly. The Console layout in this page is current as of 2026-05-31 but the underlying CLI / SDK calls do not change as fast. If the Console version differs, fall back to aws CLI or SDK calls - those almost always still work.
Where do I get Google Cloud Support help if I am still stuck?
Open a case via the Google Cloud Support Center with: the request ID + correlation ID, the exact error string, Cloud Audit Log event, and your reproduction steps. Google Cloud Community is the no-cost public alternative - search there first; 80% of common Google Cloud Spanner issues already have an answer with an Google-staff-verified flag.

References

Related guides worth a look while you sort this one out: