# 在资源'projects/my-project'上拒绝权限'compute.instances.create'（或可能不存在）。

- **ID:** `policy/gcp-iam-role-denied-at-org-level`
- **领域:** policy
- **类别:** auth_error
- **错误码:** `PERMISSION_DENIED`
- **验证级别:** ai_generated
- **修复率:** 85%

## 根因

组织、文件夹或项目级别的IAM策略拒绝调用者的'compute.instances.create'权限，或者调用者的角色不包括此权限。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Google Cloud IAM v1 | active | — | — |
| Google Compute Engine API v1 | active | — | — |

## 解决方案

1. ```
   Grant the required role to the caller at the project level using gcloud: `gcloud projects add-iam-policy-binding my-project --member='user:user@example.com' --role='roles/compute.instanceAdmin.v1'`. Verify with `gcloud projects get-iam-policy my-project`.
   ```
2. ```
   Check organization-level policies by running `gcloud organizations get-iam-policy ORGANIZATION_ID` to see if there is a deny rule. If so, request the organization admin to remove the deny or grant an exception.
   ```
3. ```
   Create a custom role with the specific permission and assign it to the caller: `gcloud iam roles create customComputeAdmin --project=my-project --permissions=compute.instances.create` then bind it.
   ```

## 无效尝试

- **** — Re-authentication does not change the IAM policy; the permission is still denied. (90% 失败率)
- **** — Permissions can be inherited from higher levels (organization, folder); denying at those levels overrides project-level grants. (70% 失败率)
- **** — The underlying permission is the same; the error will persist. (85% 失败率)