{ "id": "policy/gcp-iam-role-denied-at-org-level", "signature": "Permission 'compute.instances.create' denied on resource 'projects/my-project' (or it may not exist).", "signature_zh": "在资源'projects/my-project'上拒绝权限'compute.instances.create'(或可能不存在)。", "regex": "Permission '.*' denied on resource 'projects/.*' \\(or it may not exist\\)\\.", "domain": "policy", "category": "auth_error", "subcategory": null, "root_cause": "The IAM policy at the organization, folder, or project level denies the 'compute.instances.create' permission for the caller, or the caller's role does not include this permission.", "root_cause_type": "generic", "root_cause_zh": "组织、文件夹或项目级别的IAM策略拒绝调用者的'compute.instances.create'权限,或者调用者的角色不包括此权限。", "versions": [ { "version": "Google Cloud IAM v1", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Google Compute Engine API v1", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Re-authentication does not change the IAM policy; the permission is still denied.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "", "why_fails": "Permissions can be inherited from higher levels (organization, folder); denying at those levels overrides project-level grants.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "The underlying permission is the same; the error will persist.", "fail_rate": 0.85, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Grant the required role to the caller at the project level using gcloud: `gcloud projects add-iam-policy-binding my-project --member='user:user@example.com' --role='roles/compute.instanceAdmin.v1'`. Verify with `gcloud projects get-iam-policy my-project`.", "success_rate": 0.85, "how": "Grant the required role to the caller at the project level using gcloud: `gcloud projects add-iam-policy-binding my-project --member='user:user@example.com' --role='roles/compute.instanceAdmin.v1'`. Verify with `gcloud projects get-iam-policy my-project`.", "condition": "", "sources": [] }, { "action": "Check organization-level policies by running `gcloud organizations get-iam-policy ORGANIZATION_ID` to see if there is a deny rule. If so, request the organization admin to remove the deny or grant an exception.", "success_rate": 0.7, "how": "Check organization-level policies by running `gcloud organizations get-iam-policy ORGANIZATION_ID` to see if there is a deny rule. If so, request the organization admin to remove the deny or grant an exception.", "condition": "", "sources": [] }, { "action": "Create a custom role with the specific permission and assign it to the caller: `gcloud iam roles create customComputeAdmin --project=my-project --permissions=compute.instances.create` then bind it.", "success_rate": 0.75, "how": "Create a custom role with the specific permission and assign it to the caller: `gcloud iam roles create customComputeAdmin --project=my-project --permissions=compute.instances.create` then bind it.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Grant the required role to the caller at the project level using gcloud: `gcloud projects add-iam-policy-binding my-project --member='user:user@example.com' --role='roles/compute.instanceAdmin.v1'`. Verify with `gcloud projects get-iam-policy my-project`.", "Check organization-level policies by running `gcloud organizations get-iam-policy ORGANIZATION_ID` to see if there is a deny rule. If so, request the organization admin to remove the deny or grant an exception.", "Create a custom role with the specific permission and assign it to the caller: `gcloud iam roles create customComputeAdmin --project=my-project --permissions=compute.instances.create` then bind it." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://cloud.google.com/iam/docs/understanding-roles", "official_doc_section": null, "error_code": "PERMISSION_DENIED", "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.85, "resolvable": "true", "first_seen": "2023-03-10", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }