# Permission 'compute.instances.create' denied on resource 'projects/my-project' (or it may not exist). - **ID:** `policy/gcp-iam-role-denied-at-org-level` - **Domain:** policy - **Category:** auth_error - **Error Code:** `PERMISSION_DENIED` - **Verification:** ai_generated - **Fix Rate:** 85% ## Root Cause The IAM policy at the organization, folder, or project level denies the 'compute.instances.create' permission for the caller, or the caller's role does not include this permission. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Google Cloud IAM v1 | active | — | — | | Google Compute Engine API v1 | active | — | — | ## Workarounds 1. **Grant the required role to the caller at the project level using gcloud: `gcloud projects add-iam-policy-binding my-project --member='user:user@example.com' --role='roles/compute.instanceAdmin.v1'`. Verify with `gcloud projects get-iam-policy my-project`.** (85% success) ``` Grant the required role to the caller at the project level using gcloud: `gcloud projects add-iam-policy-binding my-project --member='user:user@example.com' --role='roles/compute.instanceAdmin.v1'`. Verify with `gcloud projects get-iam-policy my-project`. ``` 2. **Check organization-level policies by running `gcloud organizations get-iam-policy ORGANIZATION_ID` to see if there is a deny rule. If so, request the organization admin to remove the deny or grant an exception.** (70% success) ``` Check organization-level policies by running `gcloud organizations get-iam-policy ORGANIZATION_ID` to see if there is a deny rule. If so, request the organization admin to remove the deny or grant an exception. ``` 3. **Create a custom role with the specific permission and assign it to the caller: `gcloud iam roles create customComputeAdmin --project=my-project --permissions=compute.instances.create` then bind it.** (75% success) ``` Create a custom role with the specific permission and assign it to the caller: `gcloud iam roles create customComputeAdmin --project=my-project --permissions=compute.instances.create` then bind it. ``` ## Dead Ends - **** — Re-authentication does not change the IAM policy; the permission is still denied. (90% fail) - **** — Permissions can be inherited from higher levels (organization, folder); denying at those levels overrides project-level grants. (70% fail) - **** — The underlying permission is the same; the error will persist. (85% fail)