PERMISSION_DENIED
policy
auth_error
ai_generated
true
在资源'projects/my-project'上拒绝权限'compute.instances.create'(或可能不存在)。
Permission 'compute.instances.create' denied on resource 'projects/my-project' (or it may not exist).
ID: policy/gcp-iam-role-denied-at-org-level
85%修复率
88%置信度
1证据数
2023-03-10首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Google Cloud IAM v1 | active | — | — | — |
| Google Compute Engine API v1 | active | — | — | — |
根因分析
组织、文件夹或项目级别的IAM策略拒绝调用者的'compute.instances.create'权限,或者调用者的角色不包括此权限。
English
The IAM policy at the organization, folder, or project level denies the 'compute.instances.create' permission for the caller, or the caller's role does not include this permission.
官方文档
https://cloud.google.com/iam/docs/understanding-roles解决方案
-
Grant the required role to the caller at the project level using gcloud: `gcloud projects add-iam-policy-binding my-project --member='user:[email protected]' --role='roles/compute.instanceAdmin.v1'`. Verify with `gcloud projects get-iam-policy my-project`.
-
Check organization-level policies by running `gcloud organizations get-iam-policy ORGANIZATION_ID` to see if there is a deny rule. If so, request the organization admin to remove the deny or grant an exception.
-
Create a custom role with the specific permission and assign it to the caller: `gcloud iam roles create customComputeAdmin --project=my-project --permissions=compute.instances.create` then bind it.
无效尝试
常见但无效的做法:
-
90% 失败
Re-authentication does not change the IAM policy; the permission is still denied.
-
70% 失败
Permissions can be inherited from higher levels (organization, folder); denying at those levels overrides project-level grants.
-
85% 失败
The underlying permission is the same; the error will persist.